mirror/zx2c4.cgit
1
0
Fork 0
mirror of https://git.zx2c4.com/cgit synced 2025-07-31 08:04:28 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

ui-shared: prevent malicious filename from injecting headers

Browse source
This commit is contained in:
Jason A. Donenfeld 2016-01-14 14:28:37 +01:00
parent 4291453ec3
commit 513b3863d9
3 changed files with 32 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
ui-shared.c
View file

@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
htmlf("Content-Type: %s\n", ctx.page.mimetype);
if (ctx.page.size)
htmlf("Content-Length: %zd\n", ctx.page.size);
if (ctx.page.filename)
htmlf("Content-Disposition: inline; filename=\"%s\"\n",
ctx.page.filename);
if (ctx.page.filename) {
html("Content-Disposition: inline; filename=\"");
html_header_arg_in_quotes(ctx.page.filename);
html("\"\n");
}
if (!ctx.env.authenticated)
html("Cache-Control: no-cache, no-store\n");
htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));