diff options
author | Douwe Maan <douwe@gitlab.com> | 2018-10-17 18:47:06 +0300 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2018-10-17 18:47:06 +0300 |
commit | a621c8d0ea6891456605245fed014996538abed5 (patch) | |
tree | 08aad72c9813659459247c74fc46b6db4bc2cd91 /app | |
parent | 11152ddf3d4f977232676fea38eca28b7b6e6ddd (diff) | |
parent | b8cf360e2ae446db1f21c0275e2047d776730a05 (diff) |
Merge branch 'fj-52406-wiki-file-content-disposition' into 'master'
Fixed bug with the content disposition with wiki attachments
See merge request gitlab-org/gitlab-ce!22220
Diffstat (limited to 'app')
-rw-r--r-- | app/controllers/concerns/sends_blob.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects/avatars_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects/raw_controller.rb | 2 | ||||
-rw-r--r-- | app/controllers/projects/wikis_controller.rb | 23 | ||||
-rw-r--r-- | app/helpers/blob_helper.rb | 10 | ||||
-rw-r--r-- | app/helpers/workhorse_helper.rb | 2 |
6 files changed, 26 insertions, 15 deletions
diff --git a/app/controllers/concerns/sends_blob.rb b/app/controllers/concerns/sends_blob.rb index 971390d9118..8ecdaced9f5 100644 --- a/app/controllers/concerns/sends_blob.rb +++ b/app/controllers/concerns/sends_blob.rb @@ -8,7 +8,7 @@ module SendsBlob include SendFileUpload end - def send_blob(blob, params = {}) + def send_blob(repository, blob, params = {}) if blob headers['X-Content-Type-Options'] = 'nosniff' diff --git a/app/controllers/projects/avatars_controller.rb b/app/controllers/projects/avatars_controller.rb index 1c385c0e15a..1f4a25f82e9 100644 --- a/app/controllers/projects/avatars_controller.rb +++ b/app/controllers/projects/avatars_controller.rb @@ -8,7 +8,7 @@ class Projects::AvatarsController < Projects::ApplicationController def show @blob = @repository.blob_at_branch(@repository.root_ref, @project.avatar_in_git) - send_blob(@blob) + send_blob(@repository, @blob) end def destroy diff --git a/app/controllers/projects/raw_controller.rb b/app/controllers/projects/raw_controller.rb index 1dd5d1ff2e8..42ae5b0ef3c 100644 --- a/app/controllers/projects/raw_controller.rb +++ b/app/controllers/projects/raw_controller.rb @@ -12,6 +12,6 @@ class Projects::RawController < Projects::ApplicationController def show @blob = @repository.blob_at(@commit.id, @path) - send_blob(@blob, inline: (params[:inline] != 'false')) + send_blob(@repository, @blob, inline: (params[:inline] != 'false')) end end diff --git a/app/controllers/projects/wikis_controller.rb b/app/controllers/projects/wikis_controller.rb index 8c6d87a421f..88dd111132b 100644 --- a/app/controllers/projects/wikis_controller.rb +++ b/app/controllers/projects/wikis_controller.rb @@ -2,6 +2,7 @@ class Projects::WikisController < Projects::ApplicationController include PreviewMarkdown + include SendsBlob include Gitlab::Utils::StrongMemoize before_action :authorize_read_wiki! @@ -26,16 +27,8 @@ class Projects::WikisController < Projects::ApplicationController set_encoding_error unless valid_encoding? render 'show' - elsif file = @project_wiki.find_file(params[:id], params[:version_id]) - response.headers['Content-Security-Policy'] = "default-src 'none'" - response.headers['X-Content-Security-Policy'] = "default-src 'none'" - - send_data( - file.raw_data, - type: file.mime_type, - disposition: 'inline', - filename: file.name - ) + elsif file_blob + send_blob(@project_wiki.repository, file_blob) elsif can?(current_user, :create_wiki, @project) && view_param == 'create' @page = build_page(title: params[:id]) @@ -164,4 +157,14 @@ class Projects::WikisController < Projects::ApplicationController def set_encoding_error flash.now[:notice] = "The content of this page is not encoded in UTF-8. Edits can only be made via the Git repository." end + + def file_blob + strong_memoize(:file_blob) do + commit = @project_wiki.repository.commit(@project_wiki.default_branch) + + next unless commit + + @project_wiki.repository.blob_at(commit.id, params[:id]) + end + end end diff --git a/app/helpers/blob_helper.rb b/app/helpers/blob_helper.rb index 8d58c86b7a4..f7e087a6234 100644 --- a/app/helpers/blob_helper.rb +++ b/app/helpers/blob_helper.rb @@ -150,7 +150,9 @@ module BlobHelper # example of Javascript) we tell the browser of the victim not to # execute untrusted data. def safe_content_type(blob) - if blob.text? + if blob.extension == 'svg' + blob.mime_type + elsif blob.text? 'text/plain; charset=utf-8' elsif blob.image? blob.content_type @@ -159,6 +161,12 @@ module BlobHelper end end + def content_disposition(blob, inline) + return 'attachment' if blob.extension == 'svg' + + inline ? 'inline' : 'attachment' + end + def ref_project @ref_project ||= @target_project || @project end diff --git a/app/helpers/workhorse_helper.rb b/app/helpers/workhorse_helper.rb index f19445fca1a..49c08dce96c 100644 --- a/app/helpers/workhorse_helper.rb +++ b/app/helpers/workhorse_helper.rb @@ -6,7 +6,7 @@ module WorkhorseHelper # Send a Git blob through Workhorse def send_git_blob(repository, blob, inline: true) headers.store(*Gitlab::Workhorse.send_git_blob(repository, blob)) - headers['Content-Disposition'] = inline ? 'inline' : 'attachment' + headers['Content-Disposition'] = content_disposition(blob, inline) headers['Content-Type'] = safe_content_type(blob) render plain: "" end |