fix(helpdesk): add security headers and size limit to file proxy

- X-Content-Type-Options: nosniff prevents MIME sniffing
- Content-Security-Policy: sandbox prevents script execution
- 20 MB size limit on decoded file data (413 on exceed)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-04-05 22:53:46 +02:00
parent 2c2392b398
commit f974ca4fd4

View File

@@ -45,7 +45,18 @@ if (!$result['ok'] || !isset($result['data'])) {
}
$data = $result['data'];
$maxFileSize = 20 * 1024 * 1024; // 20 MB
if (strlen($data) > $maxFileSize) {
http_response_code(413);
Router::json(['ok' => false, 'error' => 'File too large']);
return;
}
$displayFilename = $filename !== '' ? $filename : 'attachment-' . $entryNo;
header('X-Content-Type-Options: nosniff');
header('Content-Security-Policy: sandbox');
Router::download($displayFilename, $data);