summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLibravatar Jakub Narebski <jnareb@gmail.com>2011-06-30 11:39:21 +0200
committerLibravatar Junio C Hamano <gitster@pobox.com>2011-06-30 11:26:48 -0700
commite8c35317172aab9da7afe555da603021a3ae89e5 (patch)
tree80b5f0cbbc86ad2ea24a0146aeba9a8c2561ebe7
parentgitweb: Serve text/* 'blob_plain' as text/plain with $prevent_xss (diff)
downloadtgif-e8c35317172aab9da7afe555da603021a3ae89e5.tar.xz
gitweb: Serve */*+xml 'blob_plain' as text/plain with $prevent_xss
Enhance usability of 'blob_plain' view protection against XSS attacks (enabled by setting $prevent_xss to true) by serving contents inline as safe 'text/plain' mimetype where possible, instead of serving with "Content-Disposition: attachment" to make sure they don't run in gitweb's security domain. This patch broadens downgrading to 'text/plain' further, to any */*+xml mimetype. This includes: application/xhtml+xml (*.xhtml, *.xht) application/atom+xml (*.atom) application/rss+xml (*.rss) application/mathml+xm (*.mathml) application/docbook+xml (*.docbook) image/svg+xml (*.svg, *.svgz) Probably most useful is serving XHTML files as text/plain in 'blob_plain' view, directly viewable. Because file with 'image/svg+xml' mimetype can be compressed SVGZ file, we have to check if */*+xml really is text file, via '-T $fd'. Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
-rwxr-xr-xgitweb/gitweb.perl3
1 files changed, 2 insertions, 1 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 1b97172ca8..2aec91307f 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -4756,7 +4756,8 @@ sub git_blob_plain {
# serve text/* as text/plain
if ($prevent_xss &&
- $type =~ m!^text/[a-z]+\b(.*)$!) {
+ ($type =~ m!^text/[a-z]+\b(.*)$! ||
+ ($type =~ m!^[a-z]+/[a-z]\+xml\b(.*)$! && -T $fd))) {
my $rest = $1;
$rest = defined $rest ? $rest : '';
$type = "text/plain$rest";