From: Jakub Narebski <jnareb@gmail.com>
To: git@vger.kernel.org
Cc: Matt McCutchen <matt@mattmccutchen.net>,
Junio C Hamano <gitster@pobox.com>,
Jakub Narebski <jnareb@gmail.com>
Subject: [PATCHv1 2/2] gitweb: Serve */*+xml 'blob_plain' as text/plain with $prevent_xss
Date: Thu, 30 Jun 2011 11:39:21 +0200 [thread overview]
Message-ID: <1309426761-819-3-git-send-email-jnareb@gmail.com> (raw)
In-Reply-To: <1309426761-819-1-git-send-email-jnareb@gmail.com>
Enhance usability of 'blob_plain' view protection against XSS attacks
(enabled by setting $prevent_xss to true) by serving contents inline
as safe 'text/plain' mimetype where possible, instead of serving with
"Content-Disposition: attachment" to make sure they don't run in
gitweb's security domain.
This patch broadens downgrading to 'text/plain' further, to any
*/*+xml mimetype. This includes:
application/xhtml+xml (*.xhtml, *.xht)
application/atom+xml (*.atom)
application/rss+xml (*.rss)
application/mathml+xm (*.mathml)
application/docbook+xml (*.docbook)
image/svg+xml (*.svg, *.svgz)
Probably most useful is serving XHTML files as text/plain in
'blob_plain' view, directly viewable.
Because file with 'image/svg+xml' mimetype can be compressed SVGZ
file, we have to check if */*+xml really is text file, via '-T $fd'.
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
---
This patch is new.
gitweb/gitweb.perl | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index cb2e7bc..ae6244c 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -6143,7 +6143,8 @@ sub git_blob_plain {
# serve text/* as text/plain
if ($prevent_xss &&
- $type =~ m!^text/[a-z]+\b(.*)$!) {
+ ($type =~ m!^text/[a-z]+\b(.*)$! ||
+ ($type =~ m!^[a-z]+/[a-z]\+xml\b(.*)$! && -T $fd))) {
my $rest = $1;
$rest = defined $rest ? $rest : '';
$type = "text/plain$rest";
--
1.7.5
prev parent reply other threads:[~2011-06-30 9:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-30 9:39 [PATCHv2 0/2] gitweb: Make $prevent_xss protection for 'blob_plain' more usable Jakub Narebski
2011-06-30 9:39 ` [PATCH 1/2] gitweb: Serve text/* 'blob_plain' as text/plain with $prevent_xss Jakub Narebski
2011-06-30 18:22 ` Junio C Hamano
2011-06-30 9:39 ` Jakub Narebski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1309426761-819-3-git-send-email-jnareb@gmail.com \
--to=jnareb@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=matt@mattmccutchen.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).