From 86afbd02c890eca08424174b7d6e583af38b0363 Mon Sep 17 00:00:00 2001
From: Jakub Narebski <jnareb@gmail.com>
Date: Thu, 30 Jun 2011 11:39:20 +0200
Subject: gitweb: Serve text/* 'blob_plain' as text/plain with $prevent_xss

One of mechanism enabled by setting $prevent_xss to true is 'blob_plain'
view protection.  With XSS prevention on, blobs of all types except a
few known safe ones are served with "Content-Disposition: attachment" to
make sure they don't run in our security domain.

Instead of serving text/* type files, except text/plain (and including
text/html), as attachements, downgrade it to text/plain.  This way HTML
pages in 'blob_plain' (raw) view would be displayed in browser, but
safely as a source, and not asked to be saved.

Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index c554887..1b97172 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -4752,7 +4752,15 @@ sub git_blob_plain {
 	# want to be sure not to break that by serving the image as an
 	# attachment (though Firefox 3 doesn't seem to care).
 	my $sandbox = $prevent_xss &&
-		$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
+		$type !~ m!^(?:text/[a-z]+|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
+
+	# serve text/* as text/plain
+	if ($prevent_xss &&
+	    $type =~ m!^text/[a-z]+\b(.*)$!) {
+		my $rest = $1;
+		$rest = defined $rest ? $rest : '';
+		$type = "text/plain$rest";
+	}
 
 	print $cgi->header(
 		-type => $type,
-- 
cgit v0.10.2-6-g49f6


From e8c35317172aab9da7afe555da603021a3ae89e5 Mon Sep 17 00:00:00 2001
From: Jakub Narebski <jnareb@gmail.com>
Date: Thu, 30 Jun 2011 11:39:21 +0200
Subject: gitweb: Serve */*+xml 'blob_plain' as text/plain with $prevent_xss

Enhance usability of 'blob_plain' view protection against XSS attacks
(enabled by setting $prevent_xss to true) by serving contents inline
as safe 'text/plain' mimetype where possible, instead of serving with
"Content-Disposition: attachment" to make sure they don't run in
gitweb's security domain.

This patch broadens downgrading to 'text/plain' further, to any
*/*+xml mimetype.  This includes:

  application/xhtml+xml    (*.xhtml, *.xht)
  application/atom+xml     (*.atom)
  application/rss+xml      (*.rss)
  application/mathml+xm    (*.mathml)
  application/docbook+xml  (*.docbook)
  image/svg+xml            (*.svg, *.svgz)

Probably most useful is serving XHTML files as text/plain in
'blob_plain' view, directly viewable.

Because file with 'image/svg+xml' mimetype can be compressed SVGZ
file, we have to check if */*+xml really is text file, via '-T $fd'.

Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 1b97172..2aec913 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -4756,7 +4756,8 @@ sub git_blob_plain {
 
 	# serve text/* as text/plain
 	if ($prevent_xss &&
-	    $type =~ m!^text/[a-z]+\b(.*)$!) {
+	    ($type =~ m!^text/[a-z]+\b(.*)$! ||
+	     ($type =~ m!^[a-z]+/[a-z]\+xml\b(.*)$! && -T $fd))) {
 		my $rest = $1;
 		$rest = defined $rest ? $rest : '';
 		$type = "text/plain$rest";
-- 
cgit v0.10.2-6-g49f6