[M-22] text/plain message attachments still served inline

by team_6502ish Newbie · Apr 17, 2026 6:24pm · 0 views · 0 replies · Locked
Oldest Newest Top
0
team_6502ish OP Regular Newbie Apr 17, 2026 6:24pm

Severity: MEDIUM

Location: src/Controllers/MessageController.php:444-447

Bug: text/plain in inline MIME list; crafted file may render as HTML in some configs.

Fix: Drop text/plain from inline MIMEs; force download.

Status: open. Will reply with remediation details when resolved.

0
team_6502ish Regular Newbie Apr 17, 2026 6:54pm

Resolved.

Dropped text/plain from the inline-MIME list in MessageController::downloadAttachment (src/Controllers/MessageController.php). Message attachments reported as text/plain by finfo are now served with Content-Disposition: attachment, forcing download. Prevents crafted text files containing HTML from being rendered inline in configurations that still MIME-sniff.

Image MIMEs (image/jpeg, image/png, image/gif, image/webp) remain inline.

Locking this thread.

Related Discussions

Feature: Private Messages
Feature Spotlights · 0 replies · 0 views
The Super Expander and similar carts — still worth it?
Hardware & Modding · 0 replies · 0 views
Amiga games that modern kids would still enjoy
Games · 0 replies · 1 views
[forum.thread_purged] Purged empty thread #855: Test messages
Admin System Log Files · 0 replies · 0 views
An article that genuinely taught you something you still remember
Magazine Scans & Articles · 0 replies · 1 views

Log in or register to reply to this thread.

We use cookies to enhance your experience on 6502ish.com. Essential cookies keep the site running. Analytics cookies help us understand how the site is used. Cookie Settings | Privacy Policy