gitweb: Fix usability of $prevent_xss

With XSS prevention on (enabled using $prevent_xss), blobs
('blob_plain') of all types except a few known safe ones are served
with "Content-Disposition: attachment".  However the check was too
strict; it didn't take into account optional parameter attributes,

  media-type     = type "/" subtype *( ";" parameter )

as described in RFC 2616

  http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17
  http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7

This fixes that, and it for example treats following as safe MIME
media type:

  text/plain; charset=utf-8

Signed-off-by: Jakub Narebski <redacted>
Signed-off-by: Junio C Hamano <redacted>

diff --git a/gitweb.perl b/gitweb.perl
index 5e69a1635bbd6f0c884561f7e68db0072a79214dbe4fbd2fb91b6e3972be1f4b..cd1a01959713e7501dac401d90613b6d2ddefdbfbae8cbf9d8f1c65038db4d71 100755 (executable)
--- a/gitweb.perl
+++ b/gitweb.perl
@@ -6128,7 +6128,7 @@ sub git_blob_plain {
        # want to be sure not to break that by serving the image as an
        # attachment (though Firefox 3 doesn't seem to care).
        my $sandbox = $prevent_xss &&
-               $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
+               $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
 
        print $cgi->header(
                -type => $type,