path: root/gitweb
diff options
authorJakub Narebski <>2011-06-04 08:43:35 (GMT)
committerJunio C Hamano <>2011-06-05 17:38:47 (GMT)
commitbee6ea17a1bab824eba6133eefc3c70b219ec98c (patch)
treec19d98d92c759feaae3ad9b8ebbdd6cb1081efb5 /gitweb
parent7e1100e9e939c9178b2aa3969349e9e8d34488bf (diff)
gitweb: Fix usability of $prevent_xss
With XSS prevention on (enabled using $prevent_xss), blobs ('blob_plain') of all types except a few known safe ones are served with "Content-Disposition: attachment". However the check was too strict; it didn't take into account optional parameter attributes, media-type = type "/" subtype *( ";" parameter ) as described in RFC 2616 This fixes that, and it for example treats following as safe MIME media type: text/plain; charset=utf-8 Signed-off-by: Jakub Narebski <> Signed-off-by: Junio C Hamano <>
Diffstat (limited to 'gitweb')
1 files changed, 1 insertions, 1 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index bdaa4e9..c554887 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -4752,7 +4752,7 @@ sub git_blob_plain {
# want to be sure not to break that by serving the image as an
# attachment (though Firefox 3 doesn't seem to care).
my $sandbox = $prevent_xss &&
- $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
+ $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
print $cgi->header(
-type => $type,