Prevent possible XSS issues by seting text/plain for all text files in

RAW feature Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-08-28 10:42:52 +0300
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-08-28 15:59:17 +0300
commit: ac24a5a336290f3519c38d59ea0d5a87a35e2c91 (patch)
tree: 64ceff31bd66791eac2649f2cf79f439569b8e04
parent: a044c4b14a2a4e73e694ec3f002a160d0991932f (diff)
download: gitlab-ce-ac24a5a336290f3519c38d59ea0d5a87a35e2c91.tar.gz
1 files changed, 2 insertions, 4 deletions
diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb
index a6b7ae3f127..5ec9c576a66 100644
--- a/app/controllers/projects/raw_controller.rb
+++ b/app/controllers/projects/raw_controller.rb
@@ -29,12 +29,10 @@ class Projects::RawController < Projects::ApplicationController
   private
 
   def get_blob_type
-    if @blob.mime_type =~ /html|javascript/
+    if @blob.text?
       'text/plain; charset=utf-8'
-    elsif @blob.name =~ /(?:msi|exe|rar|r0\d|7z|7zip|zip)$/
-      'application/octet-stream'
     else
-      @blob.mime_type
+      'application/octet-stream'
     end
   end
 end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2014-08-28 10:42:52 +0300
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2014-08-28 15:59:17 +0300
commit	ac24a5a336290f3519c38d59ea0d5a87a35e2c91 (patch)
tree	64ceff31bd66791eac2649f2cf79f439569b8e04
parent	a044c4b14a2a4e73e694ec3f002a160d0991932f (diff)
download	gitlab-ce-ac24a5a336290f3519c38d59ea0d5a87a35e2c91.tar.gz