commit c326f3eb026d67650f79a6dda9a1a42c55d10a25
author Jason A. Donenfeld <Jason@zx2c4.com> Thu Jan 14 14:53:28 2016 +0100
committer Jason A. Donenfeld <Jason@zx2c4.com> Thu Jan 14 15:42:56 2016 +0100
tree 51b94c63164ea924eb019c2e3c1e0b290509549b
parent 9ca2566972db968df4479108b29bb92551138b57

ui-plain: add enable-html-serving flag

Unrestricts plain/ to contents likely to be executed by browser.

ui-plain.c

diff --git a/ui-plain.c b/ui-plain.c
index 58addab..ff85113 100644
--- a/ui-plain.c
+++ b/ui-plain.c
@@ -37,6 +37,16 @@
 	mimetype = get_mimetype_for_filename(path);
 	ctx.page.mimetype = mimetype;
 
+	if (!ctx.repo->enable_html_serving) {
+		html("X-Content-Type-Options: nosniff\n");
+		html("Content-Security-Policy: default-src 'none'\n");
+		if (mimetype) {
+			/* Built-in white list allows PDF and everything that isn't text/ and application/ */
+			if ((!strncmp(mimetype, "text/", 5) || !strncmp(mimetype, "application/", 12)) && strcmp(mimetype, "application/pdf"))
+				ctx.page.mimetype = NULL;
+		}
+	}
+
 	if (!ctx.page.mimetype) {
 		if (buffer_is_binary(buf, size)) {
 			ctx.page.mimetype = "application/octet-stream";