diff options
| author | Jakub Narebski <jnareb@gmail.com> | 2011-06-04 10:43:35 +0200 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2011-06-05 10:38:47 -0700 |
| commit | bee6ea17a1bab824eba6133eefc3c70b219ec98c (patch) | |
| tree | c19d98d92c759feaae3ad9b8ebbdd6cb1081efb5 | |
| parent | 7e1100e9e939c9178b2aa3969349e9e8d34488bf (diff) | |
| download | git-bee6ea17a1bab824eba6133eefc3c70b219ec98c.tar.gz | |
gitweb: Fix usability of $prevent_xss
With XSS prevention on (enabled using $prevent_xss), blobs
('blob_plain') of all types except a few known safe ones are served
with "Content-Disposition: attachment". However the check was too
strict; it didn't take into account optional parameter attributes,
media-type = type "/" subtype *( ";" parameter )
as described in RFC 2616
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
This fixes that, and it for example treats following as safe MIME
media type:
text/plain; charset=utf-8
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
| -rwxr-xr-x | gitweb/gitweb.perl | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index bdaa4e9463..c5548875ff 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -4752,7 +4752,7 @@ sub git_blob_plain { # want to be sure not to break that by serving the image as an # attachment (though Firefox 3 doesn't seem to care). my $sandbox = $prevent_xss && - $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!; + $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!; print $cgi->header( -type => $type, |