gitweb: Fix usability of $prevent_xss

With XSS prevention on (enabled using $prevent_xss), blobs ('blob_plain') of all types except a few known safe ones are served with "Content-Disposition: attachment". However the check was too strict; it didn't take into account optional parameter attributes, media-type = type "/" subtype *( ";" parameter ) as described in RFC 2616 http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17 http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7 This fixes that, and it for example treats following as safe MIME media type: text/plain; charset=utf-8 Signed-off-by: Jakub Narebski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2025-03-20 21:23:24 +00:00 · 2011-06-04 10:43:35 +02:00 · 2011-06-04 10:43:35 +02:00 · bee6ea17a1
commit bee6ea17a1
parent 7e1100e9e9
1 changed files with 1 additions and 1 deletions
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@ -4752,7 +4752,7 @@ sub git_blob_plain {
 	# want to be sure not to break that by serving the image as an
 	# attachment (though Firefox 3 doesn't seem to care).
 	my $sandbox = $prevent_xss &&
-		$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
+		$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!;

 	print $cgi->header(
 		-type => $type,