diff options
author | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-08-28 11:42:52 +0400 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2014-08-28 11:42:52 +0400 |
commit | 6f154c07c8d1d479e2b7a2b69c91dd12362fa918 (patch) | |
tree | cc7d1723dfa10216e20e189a0292815580f8890c /app/controllers/projects/raw_controller.rb | |
parent | c9054319c8f64e7f91cf062e36434da78979fa76 (diff) |
Prevent possible XSS issues by seting text/plain for all text files in
RAW feature
Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Diffstat (limited to 'app/controllers/projects/raw_controller.rb')
-rw-r--r-- | app/controllers/projects/raw_controller.rb | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb index a6b7ae3f127..5ec9c576a66 100644 --- a/app/controllers/projects/raw_controller.rb +++ b/app/controllers/projects/raw_controller.rb @@ -29,12 +29,10 @@ class Projects::RawController < Projects::ApplicationController private def get_blob_type - if @blob.mime_type =~ /html|javascript/ + if @blob.text? 'text/plain; charset=utf-8' - elsif @blob.name =~ /(?:msi|exe|rar|r0\d|7z|7zip|zip)$/ - 'application/octet-stream' else - @blob.mime_type + 'application/octet-stream' end end end |