mirror/zx2c4.cgit
1
0
Fork 0
mirror of https://git.zx2c4.com/cgit synced 2025-07-20 02:44:23 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

ui-plain: add enable-html-serving flag

Browse source 
Unrestricts plain/ to contents likely to be executed by browser.
This commit is contained in:
Jason A. Donenfeld 2016-01-14 14:53:28 +01:00
parent 9ca2566972
commit c326f3eb02
5 changed files with 29 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
ui-plain.c
View file

@ -37,6 +37,16 @@ static int print_object(const unsigned char *sha1, const char *path)
mimetype = get_mimetype_for_filename(path);
ctx.page.mimetype = mimetype;
if (!ctx.repo->enable_html_serving) {
html("X-Content-Type-Options: nosniff\n");
html("Content-Security-Policy: default-src 'none'\n");
if (mimetype) {
/* Built-in white list allows PDF and everything that isn't text/ and application/ */
if ((!strncmp(mimetype, "text/", 5) || !strncmp(mimetype, "application/", 12)) && strcmp(mimetype, "application/pdf"))
ctx.page.mimetype = NULL;
}
}
if (!ctx.page.mimetype) {
if (buffer_is_binary(buf, size)) {
ctx.page.mimetype = "application/octet-stream";