Jakub Narębski  committed bee6ea1

gitweb: Fix usability of $prevent_xss

With XSS prevention on (enabled using $prevent_xss), blobs
('blob_plain') of all types except a few known safe ones are served
with "Content-Disposition: attachment". However the check was too
strict; it didn't take into account optional parameter attributes,

media-type = type "/" subtype *( ";" parameter )

as described in RFC 2616

This fixes that, and it for example treats following as safe MIME
media type:

text/plain; charset=utf-8

Signed-off-by: Jakub Narebski <>
Signed-off-by: Junio C Hamano <>

  • Participants
  • Parent commits 7e1100e
  • Branches master

Comments (0)

Files changed (1)

File gitweb/gitweb.perl

 	# want to be sure not to break that by serving the image as an
 	# attachment (though Firefox 3 doesn't seem to care).
 	my $sandbox = $prevent_xss &&
-		$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
+		$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
 	print $cgi->header(
 		-type => $type,