From c326f3eb026d67650f79a6dda9a1a42c55d10a25 Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Thu, 14 Jan 2016 14:53:28 +0100
Subject: ui-plain: add enable-html-serving flag

Unrestricts plain/ to contents likely to be executed by browser.
---
 ui-plain.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'ui-plain.c')

diff --git a/ui-plain.c b/ui-plain.c
index 58addab..ff85113 100644
--- a/ui-plain.c
+++ b/ui-plain.c
@@ -37,6 +37,16 @@ static int print_object(const unsigned char *sha1, const char *path)
 	mimetype = get_mimetype_for_filename(path);
 	ctx.page.mimetype = mimetype;
 
+	if (!ctx.repo->enable_html_serving) {
+		html("X-Content-Type-Options: nosniff\n");
+		html("Content-Security-Policy: default-src 'none'\n");
+		if (mimetype) {
+			/* Built-in white list allows PDF and everything that isn't text/ and application/ */
+			if ((!strncmp(mimetype, "text/", 5) || !strncmp(mimetype, "application/", 12)) && strcmp(mimetype, "application/pdf"))
+				ctx.page.mimetype = NULL;
+		}
+	}
+
 	if (!ctx.page.mimetype) {
 		if (buffer_is_binary(buf, size)) {
 			ctx.page.mimetype = "application/octet-stream";
-- 
cgit v1.2.3-59-g8ed1b