gitweb: Serve */*+xml 'blob_plain' as text/plain with $prevent_xss

Enhance usability of 'blob_plain' view protection against XSS attacks
(enabled by setting $prevent_xss to true) by serving contents inline
as safe 'text/plain' mimetype where possible, instead of serving with
"Content-Disposition: attachment" to make sure they don't run in
gitweb's security domain.

This patch broadens downgrading to 'text/plain' further, to any
*/*+xml mimetype.  This includes:

  application/xhtml+xml    (*.xhtml, *.xht)
  application/atom+xml     (*.atom)
  application/rss+xml      (*.rss)
  application/mathml+xm    (*.mathml)
  application/docbook+xml  (*.docbook)
  image/svg+xml            (*.svg, *.svgz)

Probably most useful is serving XHTML files as text/plain in
'blob_plain' view, directly viewable.

Because file with 'image/svg+xml' mimetype can be compressed SVGZ
file, we have to check if */*+xml really is text file, via '-T $fd'.

Signed-off-by: Jakub Narebski <redacted>
Signed-off-by: Junio C Hamano <redacted>

diff --git a/gitweb.perl b/gitweb.perl
index 7f36502356047aaa2f11e7aad8ac3acd22f728ae0befc59604d8e711ba74f01b..9199e564e3ad056bb712d29a76cfeba3c36f11a0294ad31a8e12f97e3d0b9581 100755 (executable)
--- a/gitweb.perl
+++ b/gitweb.perl
@@ -6363,7 +6363,8 @@ sub git_blob_plain {
 
        # serve text/* as text/plain
        if ($prevent_xss &&
-           $type =~ m!^text/[a-z]+\b(.*)$!) {
+           ($type =~ m!^text/[a-z]+\b(.*)$! ||
+            ($type =~ m!^[a-z]+/[a-z]\+xml\b(.*)$! && -T $fd))) {
                my $rest = $1;
                $rest = defined $rest ? $rest : '';
                $type = "text/plain$rest";