gitweb: Serve text/* 'blob_plain' as text/plain with $prevent_xss
One of mechanism enabled by setting $prevent_xss to true is 'blob_plain' view protection. With XSS prevention on, blobs of all types except a few known safe ones are served with "Content-Disposition: attachment" to make sure they don't run in our security domain. Instead of serving text/* type files, except text/plain (and including text/html), as attachements, downgrade it to text/plain. This way HTML pages in 'blob_plain' (raw) view would be displayed in browser, but safely as a source, and not asked to be saved. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Jakub Narebski
Junio C Hamano
parent
bee6ea17a1
commit
86afbd02c8
@ -4752,7 +4752,15 @@ sub git_blob_plain {
|
||||
# want to be sure not to break that by serving the image as an
|
||||
# attachment (though Firefox 3 doesn't seem to care).
|
||||
my $sandbox = $prevent_xss &&
|
||||
$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
|
||||
$type !~ m!^(?:text/[a-z]+|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
|
||||
|
||||
# serve text/* as text/plain
|
||||
if ($prevent_xss &&
|
||||
$type =~ m!^text/[a-z]+\b(.*)$!) {
|
||||
my $rest = $1;
|
||||
$rest = defined $rest ? $rest : '';
|
||||
$type = "text/plain$rest";
|
||||
}
|
||||
|
||||
print $cgi->header(
|
||||
-type => $type,
|
||||
|
||||
Loading…
Reference in New Issue
Block a user