From 747afb20bfcff14bb67e40e7035d47a6311ba3e1 Mon Sep 17 00:00:00 2001
From: Patrick Canterino <patrick@patrick-canterino.de>
Date: Sun, 4 Jan 2026 14:54:55 +0100
Subject: [PATCH] Disable MIME sniffing to prevent preview of invalid (propably
 harmful) file types

Reported by Yann CAM and Killian CHEVRIER
---
 f.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/f.php b/f.php
index 922668f..269b10b 100644
--- a/f.php
+++ b/f.php
@@ -231,6 +231,7 @@ if (!jirafeau_is_viewable($link['mime_type']) || !$cfg['preview'] || $do_downloa
     header('Content-Disposition: attachment; filename="' . $link['file_name'] . '"');
 } else {
     header('Content-Disposition: filename="' . $link['file_name'] . '"');
+    header('X-Content-Type-Options: nosniff');
 }
 header('Content-Type: ' . $link['mime_type']);
 if ($cfg['file_hash'] == "md5") {
-- 
2.43.0