Mercurial > p > roundup > code

diff roundup/cgi/client.py @ 4903:48d93e98be7b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Security non-standard html content as html Attached html files are not shipped as text/html by default, unless ``allow_html_file`` is specified in the configuration. Unfortunately some browsers want to be helpful and render other non-standard content types as html. We now change this to application/octet-stream whenever 'html' is contained in the string (case insensitive). Thanks to Kay Hayen for reporting and helping debug this.
author Ralf Schlatterbeck <rsc@runtux.com>
date Fri, 04 Jul 2014 15:43:22 +0200
parents 850551a1568b
children 92757447dcf0 24209344b507
line wrap: on
line diff
--- a/roundup/cgi/client.py	Fri Jul 04 15:32:28 2014 +0200
+++ b/roundup/cgi/client.py	Fri Jul 04 15:43:22 2014 +0200
@@ -977,7 +977,7 @@
 
         # if the mime_type is HTML-ish then make sure we're allowed to serve up
         # HTML-ish content
-        if mime_type in ('text/html', 'text/x-html'):
+        if 'html' in str (mime_type).lower () :
             if not self.instance.config['WEB_ALLOW_HTML_FILE']:
                 # do NOT serve the content up as HTML
                 mime_type = 'application/octet-stream'
Roundup Issue Tracker: http://roundup-tracker.org/