diff options
| author | Jakub Narebski <jnareb@gmail.com> | 2011-06-30 11:39:21 +0200 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2011-06-30 11:26:48 -0700 |
| commit | e8c35317172aab9da7afe555da603021a3ae89e5 (patch) | |
| tree | 80b5f0cbbc86ad2ea24a0146aeba9a8c2561ebe7 /gitweb/gitweb.perl | |
| parent | 86afbd02c890eca08424174b7d6e583af38b0363 (diff) | |
| download | git-e8c35317172aab9da7afe555da603021a3ae89e5.tar.gz | |
gitweb: Serve */*+xml 'blob_plain' as text/plain with $prevent_xss
Enhance usability of 'blob_plain' view protection against XSS attacks
(enabled by setting $prevent_xss to true) by serving contents inline
as safe 'text/plain' mimetype where possible, instead of serving with
"Content-Disposition: attachment" to make sure they don't run in
gitweb's security domain.
This patch broadens downgrading to 'text/plain' further, to any
*/*+xml mimetype. This includes:
application/xhtml+xml (*.xhtml, *.xht)
application/atom+xml (*.atom)
application/rss+xml (*.rss)
application/mathml+xm (*.mathml)
application/docbook+xml (*.docbook)
image/svg+xml (*.svg, *.svgz)
Probably most useful is serving XHTML files as text/plain in
'blob_plain' view, directly viewable.
Because file with 'image/svg+xml' mimetype can be compressed SVGZ
file, we have to check if */*+xml really is text file, via '-T $fd'.
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'gitweb/gitweb.perl')
| -rwxr-xr-x | gitweb/gitweb.perl | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 1b97172ca8..2aec91307f 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -4756,7 +4756,8 @@ sub git_blob_plain { # serve text/* as text/plain if ($prevent_xss && - $type =~ m!^text/[a-z]+\b(.*)$!) { + ($type =~ m!^text/[a-z]+\b(.*)$! || + ($type =~ m!^[a-z]+/[a-z]\+xml\b(.*)$! && -T $fd))) { my $rest = $1; $rest = defined $rest ? $rest : ''; $type = "text/plain$rest"; |