From c326f3eb026d67650f79a6dda9a1a42c55d10a25 Mon Sep 17 00:00:00 2001 From: Jason A. Donenfeld Date: Thu, 14 Jan 2016 14:53:28 +0100 Subject: ui-plain: add enable-html-serving flag Unrestricts plain/ to contents likely to be executed by browser. --- ui-plain.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'ui-plain.c') diff --git a/ui-plain.c b/ui-plain.c index 58addab..ff85113 100644 --- a/ui-plain.c +++ b/ui-plain.c @@ -37,6 +37,16 @@ static int print_object(const unsigned char *sha1, const char *path) mimetype = get_mimetype_for_filename(path); ctx.page.mimetype = mimetype; + if (!ctx.repo->enable_html_serving) { + html("X-Content-Type-Options: nosniff\n"); + html("Content-Security-Policy: default-src 'none'\n"); + if (mimetype) { + /* Built-in white list allows PDF and everything that isn't text/ and application/ */ + if ((!strncmp(mimetype, "text/", 5) || !strncmp(mimetype, "application/", 12)) && strcmp(mimetype, "application/pdf")) + ctx.page.mimetype = NULL; + } + } + if (!ctx.page.mimetype) { if (buffer_is_binary(buf, size)) { ctx.page.mimetype = "application/octet-stream"; -- cgit v1.2.3-2-gb3c3