... | ... |
@@ -13,12 +13,6 @@ |
13 | 13 |
;;; Tags limit (default:1000) |
14 | 14 |
;tags_limit=1000 |
15 | 15 |
|
16 |
-;;; Prevent XSS |
|
17 |
-;;; If prevent_xss is set to 1, |
|
18 |
-;;; binary file except png, gif, jpeg |
|
19 |
-;;; is downloaded, not displayed. |
|
20 |
-;prevent_xss=1 |
|
21 |
- |
|
22 | 16 |
[admin] |
23 | 17 |
;;; If you forget admin password, |
24 | 18 |
;;; set this value to 1 and access /reset-password page. |
... | ... |
@@ -11,7 +11,7 @@ use Gitprep::Manager; |
11 | 11 |
use Scalar::Util 'weaken'; |
12 | 12 |
use Validator::Custom; |
13 | 13 |
|
14 |
-our $VERSION = '0.06'; |
|
14 |
+our $VERSION = '0.07'; |
|
15 | 15 |
|
16 | 16 |
has 'dbi'; |
17 | 17 |
has 'git'; |
... | ... |
@@ -14,26 +14,13 @@ |
14 | 14 |
# Content type |
15 | 15 |
my $type = $git->blob_content_type($user, $project, $rev, $file); |
16 | 16 |
|
17 |
- # Convert text/* content type to text/plain |
|
18 |
- if (app->config->{basic}{prevent_xss} && |
|
19 |
- ($type =~ m#^text/[a-z]+\b(.*)$# || |
|
20 |
- ($type =~ m#^[a-z]+/[a-z]\+xml\b(.*)$#))) |
|
21 |
- { |
|
22 |
- my $rest = $1; |
|
23 |
- $rest = defined $rest ? $rest : ''; |
|
24 |
- $type = "text/plain$rest"; |
|
25 |
- } |
|
26 |
- |
|
27 | 17 |
# File name |
28 | 18 |
my $file_name = $rev; |
29 | 19 |
if (defined $file) { $file_name = $file } |
30 | 20 |
elsif ($type =~ m/^text\//) { $file_name .= '.txt' } |
31 | 21 |
|
32 | 22 |
# Content disposition |
33 |
- my $sandbox = app->config->{basic}{prevent_xss} && |
|
34 |
- $type !~ m#^(?:text/[a-z]+|image/(?:gif|png|jpeg))(?:[ ;]|$)#; |
|
35 |
- my $content_disposition = $sandbox ? 'attachment' : 'inline'; |
|
36 |
- $content_disposition .= "; filename=$file_name"; |
|
23 |
+ my $content_disposition = "inline; filename=$file_name"; |
|
37 | 24 |
|
38 | 25 |
# Response |
39 | 26 |
$self->res->headers->content_disposition($content_disposition); |