Verify Content-Type from smart HTTP servers
authorShawn Pearce <spearce@spearce.org>
Thu, 31 Jan 2013 21:02:07 +0000 (13:02 -0800)
committerJunio C Hamano <gitster@pobox.com>
Mon, 4 Feb 2013 18:22:36 +0000 (10:22 -0800)
commit4656bf47fca857df51b5d6f4b7b052192b3b2317
tree91e4d6cf951f2964de99d454ec89e426753ac453
parente1b6ff44d61bcdd91280c3f7c3c5ace32d4b7c52
Verify Content-Type from smart HTTP servers

Before parsing a suspected smart-HTTP response verify the returned
Content-Type matches the standard. This protects a client from
attempting to process a payload that smells like a smart-HTTP
server response.

JGit has been doing this check on all responses since the dawn of
time. I mistakenly failed to include it in git-core when smart HTTP
was introduced. At the time I didn't know how to get the Content-Type
from libcurl. I punted, meant to circle back and fix this, and just
plain forgot about it.

Signed-off-by: Shawn Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
http-push.c
http.c
http.h
remote-curl.c
t/lib-httpd.sh
t/lib-httpd/apache.conf
t/lib-httpd/broken-smart-http.sh [new file with mode: 0755]
t/t5551-http-fetch.sh