diff options
author | Jason A. Donenfeld | 2016-01-14 14:28:37 +0100 |
---|---|---|
committer | Jason A. Donenfeld | 2016-01-14 14:28:37 +0100 |
commit | 513b3863d999f91b47d7e9f26710390db55f9463 (patch) | |
tree | f704af1ea3f8da9b3b2904fbe8ed8233278314c6 /ui-shared.c | |
parent | 4291453ec30656c2f59645d8a74cf295ce0253a9 (diff) | |
download | cgit-513b3863d999f91b47d7e9f26710390db55f9463.tar.gz cgit-513b3863d999f91b47d7e9f26710390db55f9463.tar.bz2 cgit-513b3863d999f91b47d7e9f26710390db55f9463.zip |
ui-shared: prevent malicious filename from injecting headers
Diffstat (limited to 'ui-shared.c')
-rw-r--r-- | ui-shared.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/ui-shared.c b/ui-shared.c index 21f581f..54bbde7 100644 --- a/ui-shared.c +++ b/ui-shared.c | |||
@@ -692,9 +692,11 @@ void cgit_print_http_headers(void) | |||
692 | htmlf("Content-Type: %s\n", ctx.page.mimetype); | 692 | htmlf("Content-Type: %s\n", ctx.page.mimetype); |
693 | if (ctx.page.size) | 693 | if (ctx.page.size) |
694 | htmlf("Content-Length: %zd\n", ctx.page.size); | 694 | htmlf("Content-Length: %zd\n", ctx.page.size); |
695 | if (ctx.page.filename) | 695 | if (ctx.page.filename) { |
696 | htmlf("Content-Disposition: inline; filename=\"%s\"\n", | 696 | html("Content-Disposition: inline; filename=\""); |
697 | ctx.page.filename); | 697 | html_header_arg_in_quotes(ctx.page.filename); |
698 | html("\"\n"); | ||
699 | } | ||
698 | if (!ctx.env.authenticated) | 700 | if (!ctx.env.authenticated) |
699 | html("Cache-Control: no-cache, no-store\n"); | 701 | html("Cache-Control: no-cache, no-store\n"); |
700 | htmlf("Last-Modified: %s\n", http_date(ctx.page.modified)); | 702 | htmlf("Last-Modified: %s\n", http_date(ctx.page.modified)); |