From 86afbd02c890eca08424174b7d6e583af38b0363 Mon Sep 17 00:00:00 2001 From: Jakub Narebski Date: Thu, 30 Jun 2011 11:39:20 +0200 Subject: gitweb: Serve text/* 'blob_plain' as text/plain with $prevent_xss One of mechanism enabled by setting $prevent_xss to true is 'blob_plain' view protection. With XSS prevention on, blobs of all types except a few known safe ones are served with "Content-Disposition: attachment" to make sure they don't run in our security domain. Instead of serving text/* type files, except text/plain (and including text/html), as attachements, downgrade it to text/plain. This way HTML pages in 'blob_plain' (raw) view would be displayed in browser, but safely as a source, and not asked to be saved. Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano --- gitweb/gitweb.perl | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index c5548875ff..1b97172ca8 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -4752,7 +4752,15 @@ sub git_blob_plain { # want to be sure not to break that by serving the image as an # attachment (though Firefox 3 doesn't seem to care). my $sandbox = $prevent_xss && - $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!; + $type !~ m!^(?:text/[a-z]+|image/(?:gif|png|jpeg))(?:[ ;]|$)!; + + # serve text/* as text/plain + if ($prevent_xss && + $type =~ m!^text/[a-z]+\b(.*)$!) { + my $rest = $1; + $rest = defined $rest ? $rest : ''; + $type = "text/plain$rest"; + } print $cgi->header( -type => $type, -- cgit v1.2.1 From e8c35317172aab9da7afe555da603021a3ae89e5 Mon Sep 17 00:00:00 2001 From: Jakub Narebski Date: Thu, 30 Jun 2011 11:39:21 +0200 Subject: gitweb: Serve */*+xml 'blob_plain' as text/plain with $prevent_xss Enhance usability of 'blob_plain' view protection against XSS attacks (enabled by setting $prevent_xss to true) by serving contents inline as safe 'text/plain' mimetype where possible, instead of serving with "Content-Disposition: attachment" to make sure they don't run in gitweb's security domain. This patch broadens downgrading to 'text/plain' further, to any */*+xml mimetype. This includes: application/xhtml+xml (*.xhtml, *.xht) application/atom+xml (*.atom) application/rss+xml (*.rss) application/mathml+xm (*.mathml) application/docbook+xml (*.docbook) image/svg+xml (*.svg, *.svgz) Probably most useful is serving XHTML files as text/plain in 'blob_plain' view, directly viewable. Because file with 'image/svg+xml' mimetype can be compressed SVGZ file, we have to check if */*+xml really is text file, via '-T $fd'. Signed-off-by: Jakub Narebski Signed-off-by: Junio C Hamano --- gitweb/gitweb.perl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 1b97172ca8..2aec91307f 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -4756,7 +4756,8 @@ sub git_blob_plain { # serve text/* as text/plain if ($prevent_xss && - $type =~ m!^text/[a-z]+\b(.*)$!) { + ($type =~ m!^text/[a-z]+\b(.*)$! || + ($type =~ m!^[a-z]+/[a-z]\+xml\b(.*)$! && -T $fd))) { my $rest = $1; $rest = defined $rest ? $rest : ''; $type = "text/plain$rest"; -- cgit v1.2.1