diff options
author | Francisco Javier López <fjlopez@gitlab.com> | 2018-12-07 00:22:39 +0300 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2018-12-07 00:22:39 +0300 |
commit | cf8b8ff99b26d0a1f90be289cea08344bb8baff6 (patch) | |
tree | 1dfbc129a7be2e2d15ce9343045275fdcdce3be3 /app/helpers/blob_helper.rb | |
parent | c3bbad762d418857e3f5b52222f5eedd62663229 (diff) |
Add feature flag for workhorse content type calculation
Diffstat (limited to 'app/helpers/blob_helper.rb')
-rw-r--r-- | app/helpers/blob_helper.rb | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb index 638744a1426..bd42f00944f 100644 --- a/app/helpers/blob_helper.rb +++ b/app/helpers/blob_helper.rb @@ -140,6 +140,8 @@ module BlobHelper Gitlab::Sanitizers::SVG.clean(data) end + # Remove once https://gitlab.com/gitlab-org/gitlab-ce/issues/36103 is closed + # and :workhorse_set_content_type flag is removed # If we blindly set the 'real' content type when serving a Git blob we # are enabling XSS attacks. An attacker could upload e.g. a Javascript # file to a Git repository, trick the browser of a victim into @@ -161,6 +163,8 @@ module BlobHelper end def content_disposition(blob, inline) + # Remove the following line when https://gitlab.com/gitlab-org/gitlab-ce/issues/36103 + # is closed and :workhorse_set_content_type flag is removed return 'attachment' if blob.extension == 'svg' inline ? 'inline' : 'attachment' |