Merge branch 'fix-xss' into 'master'

Fix XSS issue When view blob as RAW make sure we allow only 2 kind of type: 'text/plain' and 'application/octet-stream' Fixes #1514 See merge request !1045
2014-08-28 15:59:57 +00:00 · 2014-08-28 15:59:57 +00:00 · d4180875cb
commit d4180875cb
parent 3069826d1a 6f154c07c8
1 changed files with 2 additions and 4 deletions
--- a/app/controllers/projects/raw_controller.rb
+++ b/app/controllers/projects/raw_controller.rb
@ -29,12 +29,10 @@ class Projects::RawController < Projects::ApplicationController
  private

  def get_blob_type
-    if @blob.mime_type =~ /html|javascript/
+    if @blob.text?
      'text/plain; charset=utf-8'
-    elsif @blob.name =~ /(?:msi|exe|rar|r0\d|7z|7zip|zip)$/
-      'application/octet-stream'
    else
-      @blob.mime_type
+      'application/octet-stream'
    end
  end
 end