diff options
| author | Jakub Narebski <jnareb@gmail.com> | 2011-06-30 09:39:20 (GMT) |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2011-06-30 18:26:39 (GMT) |
| commit | 86afbd02c890eca08424174b7d6e583af38b0363 (patch) | |
| tree | e4efdf51b35e86e67aef5f3c01dfa1a966e46db4 /gitweb | |
| parent | bee6ea17a1bab824eba6133eefc3c70b219ec98c (diff) | |
| download | git-86afbd02c890eca08424174b7d6e583af38b0363.zip git-86afbd02c890eca08424174b7d6e583af38b0363.tar.gz git-86afbd02c890eca08424174b7d6e583af38b0363.tar.bz2 | |
gitweb: Serve text/* 'blob_plain' as text/plain with $prevent_xss
One of mechanism enabled by setting $prevent_xss to true is 'blob_plain'
view protection. With XSS prevention on, blobs of all types except a
few known safe ones are served with "Content-Disposition: attachment" to
make sure they don't run in our security domain.
Instead of serving text/* type files, except text/plain (and including
text/html), as attachements, downgrade it to text/plain. This way HTML
pages in 'blob_plain' (raw) view would be displayed in browser, but
safely as a source, and not asked to be saved.
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'gitweb')
| -rwxr-xr-x | gitweb/gitweb.perl | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index c554887..1b97172 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -4752,7 +4752,15 @@ sub git_blob_plain { # want to be sure not to break that by serving the image as an # attachment (though Firefox 3 doesn't seem to care). my $sandbox = $prevent_xss && - $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!; + $type !~ m!^(?:text/[a-z]+|image/(?:gif|png|jpeg))(?:[ ;]|$)!; + + # serve text/* as text/plain + if ($prevent_xss && + $type =~ m!^text/[a-z]+\b(.*)$!) { + my $rest = $1; + $rest = defined $rest ? $rest : ''; + $type = "text/plain$rest"; + } print $cgi->header( -type => $type, |