gitweb: Fix usability of $prevent_xss
With XSS prevention on (enabled using $prevent_xss), blobs
('blob_plain') of all types except a few known safe ones are served
with "Content-Disposition: attachment". However the check was too
strict; it didn't take into account optional parameter attributes,
media-type = type "/" subtype *( ";" parameter )
as described in RFC 2616
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
This fixes that, and it for example treats following as safe MIME
media type:
text/plain; charset=utf-8
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
maint
Jakub Narebski
Junio C Hamano
parent
7e1100e9e9
commit
bee6ea17a1
|
|
@ -4752,7 +4752,7 @@ sub git_blob_plain {
|
|||
# want to be sure not to break that by serving the image as an
|
||||
# attachment (though Firefox 3 doesn't seem to care).
|
||||
my $sandbox = $prevent_xss &&
|
||||
$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
|
||||
$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
|
||||
|
||||
print $cgi->header(
|
||||
-type => $type,
|
||||
|
|
|
|||
Loading…
Reference in New Issue