From: Jakub Narebski Date: Sat, 4 Jun 2011 08:43:35 +0000 (+0200) Subject: gitweb: Fix usability of $prevent_xss X-Git-Tag: v1.7.6-rc1~3^2 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=bee6ea17a1bab824eba6133eefc3c70b219ec98c;p=git.git gitweb: Fix usability of $prevent_xss With XSS prevention on (enabled using $prevent_xss), blobs ('blob_plain') of all types except a few known safe ones are served with "Content-Disposition: attachment". However the check was too strict; it didn't take into account optional parameter attributes, media-type = type "/" subtype *( ";" parameter ) as described in RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17 http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 This fixes that, and it for example treats following as safe MIME media type: text/plain; charset=utf-8 Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano --- diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index bdaa4e946..c5548875f 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -4752,7 +4752,7 @@ sub git_blob_plain { # want to be sure not to break that by serving the image as an # attachment (though Firefox 3 doesn't seem to care). my $sandbox = $prevent_xss && - $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!; + $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!; print $cgi->header( -type => $type,