ui-plain: add enable-html-serving flag

Unrestricts plain/ to contents likely to be executed by browser.
author: Jason A. Donenfeld 2016-01-14 14:53:28 +0100
committer: Jason A. Donenfeld 2016-01-14 15:42:56 +0100
commit: c326f3eb026d67650f79a6dda9a1a42c55d10a25 (patch)
tree: 51b94c63164ea924eb019c2e3c1e0b290509549b /ui-plain.c
parent: 9ca2566972db968df4479108b29bb92551138b57 (diff)
download: cgit-c326f3eb026d67650f79a6dda9a1a42c55d10a25.tar.gz
cgit-c326f3eb026d67650f79a6dda9a1a42c55d10a25.tar.bz2
cgit-c326f3eb026d67650f79a6dda9a1a42c55d10a25.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/ui-plain.c b/ui-plain.c
index 58addab..ff85113 100644
--- a/ui-plain.c
+++ b/ui-plain.c
@@ -37,6 +37,16 @@ static int print_object(const unsigned char *sha1, const char *path)
        mimetype = get_mimetype_for_filename(path);
        ctx.page.mimetype = mimetype;
+        if (!ctx.repo->enable_html_serving) {
+                html("X-Content-Type-Options: nosniff\n");
+                html("Content-Security-Policy: default-src 'none'\n");
+                if (mimetype) {
+                        /* Built-in white list allows PDF and everything that isn't text/ and application/ */
+                        if ((!strncmp(mimetype, "text/", 5) || !strncmp(mimetype, "application/", 12)) && strcmp(mimetype, "application/pdf"))
+                                ctx.page.mimetype = NULL;
+                }
+        }
        if (!ctx.page.mimetype) {
                if (buffer_is_binary(buf, size)) {
                        ctx.page.mimetype = "application/octet-stream";
author	Jason A. Donenfeld	2016-01-14 14:53:28 +0100
committer	Jason A. Donenfeld	2016-01-14 15:42:56 +0100
commit	c326f3eb026d67650f79a6dda9a1a42c55d10a25 (patch)
tree	51b94c63164ea924eb019c2e3c1e0b290509549b /ui-plain.c
parent	9ca2566972db968df4479108b29bb92551138b57 (diff)
download	cgit-c326f3eb026d67650f79a6dda9a1a42c55d10a25.tar.gz cgit-c326f3eb026d67650f79a6dda9a1a42c55d10a25.tar.bz2 cgit-c326f3eb026d67650f79a6dda9a1a42c55d10a25.zip

diff --git a/ui-plain.c b/ui-plain.c index 58addab..ff85113 100644 --- a/ui-plain.c +++ b/ui-plain.c
@@ -37,6 +37,16 @@ static int print_object(const unsigned char sha1, const char path)
37	mimetype = get_mimetype_for_filename(path);	37	mimetype = get_mimetype_for_filename(path);
38	ctx.page.mimetype = mimetype;	38	ctx.page.mimetype = mimetype;
39		39
		40	if (!ctx.repo->enable_html_serving) {
		41	html("X-Content-Type-Options: nosniff\n");
		42	html("Content-Security-Policy: default-src 'none'\n");
		43	if (mimetype) {
		44	/* Built-in white list allows PDF and everything that isn't text/ and application/ */
		45	if ((!strncmp(mimetype, "text/", 5) \|\| !strncmp(mimetype, "application/", 12)) && strcmp(mimetype, "application/pdf"))
		46	ctx.page.mimetype = NULL;
		47	}
		48	}
		49
40	if (!ctx.page.mimetype) {	50	if (!ctx.page.mimetype) {
41	if (buffer_is_binary(buf, size)) {	51	if (buffer_is_binary(buf, size)) {
42	ctx.page.mimetype = "application/octet-stream";	52	ctx.page.mimetype = "application/octet-stream";