diff options
| author | Jason A. Donenfeld <Jason@zx2c4.com> | 2016-01-14 14:28:37 +0100 | 
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2016-01-14 14:28:37 +0100 | 
| commit | 513b3863d999f91b47d7e9f26710390db55f9463 (patch) | |
| tree | f704af1ea3f8da9b3b2904fbe8ed8233278314c6 /ui-shared.c | |
| parent | ui-shared: Avoid new line injection into redirect header (diff) | |
| download | cgit-513b3863d999f91b47d7e9f26710390db55f9463.tar.gz cgit-513b3863d999f91b47d7e9f26710390db55f9463.tar.bz2 cgit-513b3863d999f91b47d7e9f26710390db55f9463.zip | |
ui-shared: prevent malicious filename from injecting headers
Diffstat (limited to '')
| -rw-r--r-- | ui-shared.c | 8 | 
1 files changed, 5 insertions, 3 deletions
| diff --git a/ui-shared.c b/ui-shared.c index 21f581f..54bbde7 100644 --- a/ui-shared.c +++ b/ui-shared.c @@ -692,9 +692,11 @@ void cgit_print_http_headers(void)  		htmlf("Content-Type: %s\n", ctx.page.mimetype);  	if (ctx.page.size)  		htmlf("Content-Length: %zd\n", ctx.page.size); -	if (ctx.page.filename) -		htmlf("Content-Disposition: inline; filename=\"%s\"\n", -		      ctx.page.filename); +	if (ctx.page.filename) { +		html("Content-Disposition: inline; filename=\""); +		html_header_arg_in_quotes(ctx.page.filename); +		html("\"\n"); +	}  	if (!ctx.env.authenticated)  		html("Cache-Control: no-cache, no-store\n");  	htmlf("Last-Modified: %s\n", http_date(ctx.page.modified)); | 
