mimetype = get_mimetype_for_filename(path);
ctx.page.mimetype = mimetype;
+ if (!ctx.repo->enable_html_serving) {
+ html("X-Content-Type-Options: nosniff\n");
+ html("Content-Security-Policy: default-src 'none'\n");
+ if (mimetype) {
+ /* Built-in white list allows PDF and everything that isn't text/ and application/ */
+ if ((!strncmp(mimetype, "text/", 5) || !strncmp(mimetype, "application/", 12)) && strcmp(mimetype, "application/pdf"))
+ ctx.page.mimetype = NULL;
+ }
+ }
+
if (!ctx.page.mimetype) {
if (buffer_is_binary(buf, size)) {
ctx.page.mimetype = "application/octet-stream";
cgit_print_http_headers();
html_raw(buf, size);
free(mimetype);
+ free(buf);
return 1;
}
slash = strrchr(fullpath, '/');
if (slash)
*(slash + 1) = 0;
- else
+ else {
+ free(fullpath);
fullpath = NULL;
+ }
html("<li>");
cgit_plain_link("../", NULL, NULL, ctx.qry.head, ctx.qry.sha1,
fullpath);
walk_tree_ctx->match = 2;
return READ_TREE_RECURSIVE;
}
- } else if (base->len > walk_tree_ctx->match_baselen) {
+ } else if (base->len < INT_MAX && (int)base->len > walk_tree_ctx->match_baselen) {
print_dir_entry(sha1, base->buf, base->len, pathname, mode);
walk_tree_ctx->match = 2;
} else if (S_ISDIR(mode)) {
if (!path_items.match) {
path_items.match = "";
walk_tree_ctx.match_baselen = -1;
- print_dir(commit->tree->object.sha1, "", 0, "");
+ print_dir(commit->tree->object.oid.hash, "", 0, "");
walk_tree_ctx.match = 2;
}
else
git.ckatri.com / cgit.git / blobdiff