Merge branch 'security-11-4' into 'security-fix/security-group-user-removal-11-4'

# Conflicts: # app/services/members/destroy_service.rb
author: James Lopez <james@gitlab.com> 2018-12-27 13:42:31 +0000
committer: James Lopez <james@gitlab.com> 2018-12-27 13:42:31 +0000
commit: 19a278b9e360b5b7f3e654d8a5caedd07d67f231 (patch)
tree: 1855e38b89eae0d4bf8890ee9f18578071c18718 /app/helpers/blob_helper.rb
parent: 2299c01f7e36274f2a1b6b43c68f2d568d7f451e (diff)
parent: 7703a04b53ea1d9a3e141de68dac765fd4d1a46a (diff)
download: gitlab-ce-19a278b9e360b5b7f3e654d8a5caedd07d67f231.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb
index 883e5ddff57..98678aefa8a 100644
--- a/app/helpers/blob_helper.rb
+++ b/app/helpers/blob_helper.rb
@@ -150,7 +150,9 @@ module BlobHelper
   # example of Javascript) we tell the browser of the victim not to
   # execute untrusted data.
   def safe_content_type(blob)
-    if blob.text?
+    if blob.extension == 'svg'
+      blob.mime_type
+    elsif blob.text?
       'text/plain; charset=utf-8'
     elsif blob.image?
       blob.content_type
@@ -159,6 +161,12 @@ module BlobHelper
     end
   end
 
+  def content_disposition(blob, inline)
+    return 'attachment' if blob.extension == 'svg'
+
+    inline ? 'inline' : 'attachment'
+  end
+
   def ref_project
     @ref_project ||= @target_project || @project
   end
author	James Lopez <james@gitlab.com>	2018-12-27 13:42:31 +0000
committer	James Lopez <james@gitlab.com>	2018-12-27 13:42:31 +0000
commit	19a278b9e360b5b7f3e654d8a5caedd07d67f231 (patch)
tree	1855e38b89eae0d4bf8890ee9f18578071c18718 /app/helpers/blob_helper.rb
parent	2299c01f7e36274f2a1b6b43c68f2d568d7f451e (diff)
parent	7703a04b53ea1d9a3e141de68dac765fd4d1a46a (diff)
download	gitlab-ce-19a278b9e360b5b7f3e654d8a5caedd07d67f231.tar.gz