diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-08-28 10:42:52 +0300 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-08-28 15:59:17 +0300 |
commit | ac24a5a336290f3519c38d59ea0d5a87a35e2c91 (patch) | |
tree | 64ceff31bd66791eac2649f2cf79f439569b8e04 | |
parent | a044c4b14a2a4e73e694ec3f002a160d0991932f (diff) | |
download | gitlab-ce-ac24a5a336290f3519c38d59ea0d5a87a35e2c91.tar.gz |
Prevent possible XSS issues by seting text/plain for all text files in
RAW feature
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
-rw-r--r-- | app/controllers/projects/raw_controller.rb | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb index a6b7ae3f127..5ec9c576a66 100644 --- a/app/controllers/projects/raw_controller.rb +++ b/app/controllers/projects/raw_controller.rb @@ -29,12 +29,10 @@ class Projects::RawController < Projects::ApplicationController private def get_blob_type - if @blob.mime_type =~ /html|javascript/ + if @blob.text? 'text/plain; charset=utf-8' - elsif @blob.name =~ /(?:msi|exe|rar|r0\d|7z|7zip|zip)$/ - 'application/octet-stream' else - @blob.mime_type + 'application/octet-stream' end end end |