]> Lady’s Gitweb - Gitweb/commit
Lady’s Gitweb / Gitweb / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 6d6b14a)
gitweb: Fix usability of $prevent_xss
authorJakub Narebski <redacted>
Sat, 4 Jun 2011 08:43:35 +0000 (10:43 +0200)
committerLady <redacted>
Mon, 6 Apr 2026 04:51:31 +0000 (00:51 -0400)
commit5233526cdfed4372589bf9ead05f5d90536d0277a603152741a248536f6340b0
treeebfbe1972081b6f497cd0fd8da95a580307f3038b9f44130bb142579b3957275tree | snapshot
parent6d6b14aafe57dcdbdb38729054a0560e4148b35b980ddca49b836b3db064e3becommit | diff
gitweb: Fix usability of $prevent_xss

With XSS prevention on (enabled using $prevent_xss), blobs
('blob_plain') of all types except a few known safe ones are served
with "Content-Disposition: attachment".  However the check was too
strict; it didn't take into account optional parameter attributes,

  media-type     = type "/" subtype *( ";" parameter )

as described in RFC 2616

  http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17
  http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7

This fixes that, and it for example treats following as safe MIME
media type:

  text/plain; charset=utf-8

Signed-off-by: Jakub Narebski <redacted>
Signed-off-by: Junio C Hamano <redacted>
gitweb.perl diff | blob | history
🐙🌐 Git·web: A C·G·I script for rendering Git repositories
This page took 0.132088 seconds and 4 git commands to generate.