Re: [PATCH 1/2] gitweb: Serve text/* 'blob_plain' as text/plain with $prevent_xss

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jakub Narebski <jnareb@xxxxxxxxx> writes:

> One of mechanism enabled by setting $prevent_xss to true is 'blob_plain'
> view protection.  With XSS prevention on, blobs of all types except a
> few known safe ones are served with "Content-Disposition: attachment" to
> make sure they don't run in our security domain.
>
> Instead of serving text/* type files, except text/plain (and including
> text/html), as attachements, downgrade it to text/plain.  This way HTML
> pages in 'blob_plain' (raw) wiew would be displayed in browser, but

A new typo "wiew" is introduced without touching other parts of the
message. Curious...

> safely as a source, and not asked to be saved.
>
> Signed-off-by: Jakub Narebski <jnareb@xxxxxxxxx>
> ---
>  gitweb/gitweb.perl |   10 +++++++++-
>  1 files changed, 9 insertions(+), 1 deletions(-)
>
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 8620aca..cb2e7bc 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -6139,7 +6139,15 @@ sub git_blob_plain {
>  	# want to be sure not to break that by serving the image as an
>  	# attachment (though Firefox 3 doesn't seem to care).
>  	my $sandbox = $prevent_xss &&
> -		$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
> +		$type !~ m!^(?:text/[a-z]+|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
> +
> +	# serve text/* as text/plain
> +	if ($prevent_xss &&
> +	    $type =~ m!^text/[a-z]+\b(.*)$!) {
> +		my $rest = $1;
> +		$rest = defined $rest ? $rest : '';
> +		$type = "text/plain$rest";
> +	}
>  
>  	print $cgi->header(
>  		-type => $type,
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]