git - Git: sistema de control de versiones

diff options

author	Jakub Narebski <jnareb@gmail.com>	2011-06-04 08:43:35 (GMT)
committer	Junio C Hamano <gitster@pobox.com>	2011-06-05 17:38:47 (GMT)
commit	bee6ea17a1bab824eba6133eefc3c70b219ec98c (patch)
tree	c19d98d92c759feaae3ad9b8ebbdd6cb1081efb5 /shell.c
parent	7e1100e9e939c9178b2aa3969349e9e8d34488bf (diff)
download	git-bee6ea17a1bab824eba6133eefc3c70b219ec98c.zip git-bee6ea17a1bab824eba6133eefc3c70b219ec98c.tar.gz git-bee6ea17a1bab824eba6133eefc3c70b219ec98c.tar.bz2

gitweb: Fix usability of $prevent_xss

With XSS prevention on (enabled using $prevent_xss), blobs ('blob_plain') of all types except a few known safe ones are served with "Content-Disposition: attachment". However the check was too strict; it didn't take into account optional parameter attributes, media-type = type "/" subtype *( ";" parameter ) as described in RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17 http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 This fixes that, and it for example treats following as safe MIME media type: text/plain; charset=utf-8 Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>

Diffstat (limited to 'shell.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: