mir/cgit
2
0
Fork 0
mirror of https://git.zx2c4.com/cgit synced 2025-08-30 22:05:08 +00:00
Code Issues Releases Wiki Activity

ui-shared: prevent malicious filename from injecting headers

Browse Source
This commit is contained in:
Jason A. Donenfeld
2016-01-14 14:28:37 +01:00
parent 4291453ec3
commit 513b3863d9
3 changed files with 32 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ui-shared.c
View File

@@ -692,9 +692,11 @@ void cgit_print_http_headers(void)
htmlf("Content-Type: %s\n", ctx.page.mimetype);
if (ctx.page.size)
htmlf("Content-Length: %zd\n", ctx.page.size);
if (ctx.page.filename)
htmlf("Content-Disposition: inline; filename=\"%s\"\n",
ctx.page.filename);
if (ctx.page.filename) {
html("Content-Disposition: inline; filename=\"");
html_header_arg_in_quotes(ctx.page.filename);
html("\"\n");
}
if (!ctx.env.authenticated)
html("Cache-Control: no-cache, no-store\n");
htmlf("Last-Modified: %s\n", http_date(ctx.page.modified));