gitlab-org--gitlab-foss/app/controllers/projects/raw_controller.rb
Dmitriy Zaporozhets 6f154c07c8
Prevent possible XSS issues by seting text/plain for all text files in
RAW feature

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
2014-08-28 10:42:52 +03:00

39 lines
733 B
Ruby

# Controller for viewing a file's raw
class Projects::RawController < Projects::ApplicationController
include ExtractsPath
# Authorize
before_filter :authorize_read_project!
before_filter :authorize_code_access!
before_filter :require_non_empty_project
def show
@blob = @repository.blob_at(@commit.id, @path)
if @blob
type = get_blob_type
headers['X-Content-Type-Options'] = 'nosniff'
send_data(
@blob.data,
type: type,
disposition: 'inline',
filename: @blob.name
)
else
not_found!
end
end
private
def get_blob_type
if @blob.text?
'text/plain; charset=utf-8'
else
'application/octet-stream'
end
end
end