diff options
author | Francisco Javier López <fjlopez@gitlab.com> | 2018-12-19 14:51:07 +0300 |
---|---|---|
committer | Francisco Javier López <fjlopez@gitlab.com> | 2018-12-19 15:05:44 +0300 |
commit | 33e595567115f508ff069ee4927e10eae49e87a1 (patch) | |
tree | 0d841ec2a2d0c60a3093eef4975db640a5aed863 /app/helpers/blob_helper.rb | |
parent | ffef28ccd6d37ade2c3ee3ca46679749f9cf09aa (diff) |
Removing workhorse_set_content_type feature flag
Removing workhorse_set_content_type feature flag introduced in
https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/22667
Diffstat (limited to 'app/helpers/blob_helper.rb')
-rw-r--r-- | app/helpers/blob_helper.rb | 30 |
1 files changed, 0 insertions, 30 deletions
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb index bd42f00944f..4c8e1b209c0 100644 --- a/app/helpers/blob_helper.rb +++ b/app/helpers/blob_helper.rb @@ -140,36 +140,6 @@ module BlobHelper Gitlab::Sanitizers::SVG.clean(data) end - # Remove once https://gitlab.com/gitlab-org/gitlab-ce/issues/36103 is closed - # and :workhorse_set_content_type flag is removed - # If we blindly set the 'real' content type when serving a Git blob we - # are enabling XSS attacks. An attacker could upload e.g. a Javascript - # file to a Git repository, trick the browser of a victim into - # downloading the blob, and then the 'application/javascript' content - # type would tell the browser to execute the attacker's Javascript. By - # overriding the content type and setting it to 'text/plain' (in the - # example of Javascript) we tell the browser of the victim not to - # execute untrusted data. - def safe_content_type(blob) - if blob.extension == 'svg' - blob.mime_type - elsif blob.text? - 'text/plain; charset=utf-8' - elsif blob.image? - blob.content_type - else - 'application/octet-stream' - end - end - - def content_disposition(blob, inline) - # Remove the following line when https://gitlab.com/gitlab-org/gitlab-ce/issues/36103 - # is closed and :workhorse_set_content_type flag is removed - return 'attachment' if blob.extension == 'svg' - - inline ? 'inline' : 'attachment' - end - def ref_project @ref_project ||= @target_project || @project end |