gitweb: Fix usability of $prevent_xss
authorJakub Narebski <jnareb@gmail.com>
Sat, 4 Jun 2011 08:43:35 +0000 (10:43 +0200)
committerJunio C Hamano <gitster@pobox.com>
Sun, 5 Jun 2011 17:38:47 +0000 (10:38 -0700)
commitbee6ea17a1bab824eba6133eefc3c70b219ec98c
treec19d98d92c759feaae3ad9b8ebbdd6cb1081efb5
parent7e1100e9e939c9178b2aa3969349e9e8d34488bf
gitweb: Fix usability of $prevent_xss

With XSS prevention on (enabled using $prevent_xss), blobs
('blob_plain') of all types except a few known safe ones are served
with "Content-Disposition: attachment".  However the check was too
strict; it didn't take into account optional parameter attributes,

  media-type     = type "/" subtype *( ";" parameter )

as described in RFC 2616

  http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17
  http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7

This fixes that, and it for example treats following as safe MIME
media type:

  text/plain; charset=utf-8

Signed-off-by: Jakub Narebski <jnareb@gmail.com>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
gitweb/gitweb.perl