Mercurial > p > roundup > code
comparison roundup/cgi/client.py @ 4903:48d93e98be7b
Security non-standard html content as html
Attached html files are not shipped as text/html by default, unless
``allow_html_file`` is specified in the configuration. Unfortunately
some browsers want to be helpful and render other non-standard content
types as html. We now change this to application/octet-stream whenever
'html' is contained in the string (case insensitive). Thanks to Kay
Hayen for reporting and helping debug this.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Fri, 04 Jul 2014 15:43:22 +0200 |
| parents | 850551a1568b |
| children | 92757447dcf0 24209344b507 |
comparison
equal
deleted
inserted
replaced
| 4902:a403c29ffaf9 | 4903:48d93e98be7b |
|---|---|
| 975 if not mime_type: | 975 if not mime_type: |
| 976 mime_type = 'text/plain' | 976 mime_type = 'text/plain' |
| 977 | 977 |
| 978 # if the mime_type is HTML-ish then make sure we're allowed to serve up | 978 # if the mime_type is HTML-ish then make sure we're allowed to serve up |
| 979 # HTML-ish content | 979 # HTML-ish content |
| 980 if mime_type in ('text/html', 'text/x-html'): | 980 if 'html' in str (mime_type).lower () : |
| 981 if not self.instance.config['WEB_ALLOW_HTML_FILE']: | 981 if not self.instance.config['WEB_ALLOW_HTML_FILE']: |
| 982 # do NOT serve the content up as HTML | 982 # do NOT serve the content up as HTML |
| 983 mime_type = 'application/octet-stream' | 983 mime_type = 'application/octet-stream' |
| 984 | 984 |
| 985 # If this object is a file (i.e., an instance of FileClass), | 985 # If this object is a file (i.e., an instance of FileClass), |