| ... | ... |
@@ -13,12 +13,6 @@ |
| 13 | 13 |
;;; Tags limit (default:1000) |
| 14 | 14 |
;tags_limit=1000 |
| 15 | 15 |
|
| 16 |
-;;; Prevent XSS |
|
| 17 |
-;;; If prevent_xss is set to 1, |
|
| 18 |
-;;; binary file except png, gif, jpeg |
|
| 19 |
-;;; is downloaded, not displayed. |
|
| 20 |
-;prevent_xss=1 |
|
| 21 |
- |
|
| 22 | 16 |
[admin] |
| 23 | 17 |
;;; If you forget admin password, |
| 24 | 18 |
;;; set this value to 1 and access /reset-password page. |
| ... | ... |
@@ -11,7 +11,7 @@ use Gitprep::Manager; |
| 11 | 11 |
use Scalar::Util 'weaken'; |
| 12 | 12 |
use Validator::Custom; |
| 13 | 13 |
|
| 14 |
-our $VERSION = '0.06'; |
|
| 14 |
+our $VERSION = '0.07'; |
|
| 15 | 15 |
|
| 16 | 16 |
has 'dbi'; |
| 17 | 17 |
has 'git'; |
| ... | ... |
@@ -14,26 +14,13 @@ |
| 14 | 14 |
# Content type |
| 15 | 15 |
my $type = $git->blob_content_type($user, $project, $rev, $file); |
| 16 | 16 |
|
| 17 |
- # Convert text/* content type to text/plain |
|
| 18 |
- if (app->config->{basic}{prevent_xss} &&
|
|
| 19 |
- ($type =~ m#^text/[a-z]+\b(.*)$# || |
|
| 20 |
- ($type =~ m#^[a-z]+/[a-z]\+xml\b(.*)$#))) |
|
| 21 |
- {
|
|
| 22 |
- my $rest = $1; |
|
| 23 |
- $rest = defined $rest ? $rest : ''; |
|
| 24 |
- $type = "text/plain$rest"; |
|
| 25 |
- } |
|
| 26 |
- |
|
| 27 | 17 |
# File name |
| 28 | 18 |
my $file_name = $rev; |
| 29 | 19 |
if (defined $file) { $file_name = $file }
|
| 30 | 20 |
elsif ($type =~ m/^text\//) { $file_name .= '.txt' }
|
| 31 | 21 |
|
| 32 | 22 |
# Content disposition |
| 33 |
- my $sandbox = app->config->{basic}{prevent_xss} &&
|
|
| 34 |
- $type !~ m#^(?:text/[a-z]+|image/(?:gif|png|jpeg))(?:[ ;]|$)#; |
|
| 35 |
- my $content_disposition = $sandbox ? 'attachment' : 'inline'; |
|
| 36 |
- $content_disposition .= "; filename=$file_name"; |
|
| 23 |
+ my $content_disposition = "inline; filename=$file_name"; |
|
| 37 | 24 |
|
| 38 | 25 |
# Response |
| 39 | 26 |
$self->res->headers->content_disposition($content_disposition); |