Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Serve raw files with the correct content types #15299

Closed
wants to merge 1 commit into from
Closed

Serve raw files with the correct content types #15299

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 33 additions & 12 deletions routers/repo/download.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ import (
"code.gitea.io/gitea/modules/log"
)

var javascriptTypes = []string{"application/ecmascript", "application/javascript", "text/ecmascript", "text/javascript",
"text/jscript", "text/livescript"}

// ServeData download file from io.Reader
func ServeData(ctx *context.Context, name string, size int64, reader io.Reader) error {
buf := make([]byte, 1024)
Expand All @@ -41,26 +44,44 @@ func ServeData(ctx *context.Context, name string, size int64, reader io.Reader)
// Google Chrome dislike commas in filenames, so let's change it to a space
name = strings.ReplaceAll(name, ",", " ")

if base.IsTextFile(buf) || ctx.QueryBool("render") {
cs, err := charset.DetectEncoding(buf)
if err != nil {
log.Error("Detect raw file %s charset failed: %v, using by default utf-8", name, err)
cs = "utf-8"
ct := base.DetectContentType(buf)
matches := func(mimes []string) bool {
for _, mime := range mimes {
if strings.Contains(ct, mime) {
return true
}
}
ctx.Resp.Header().Set("Content-Type", "text/plain; charset="+strings.ToLower(cs))
} else if base.IsImageFile(buf) || base.IsPDFFile(buf) {
return false
}
if ct == "" {
log.Error("Detect raw file %s content type failed: %v, using by default text/plain", name, err)
ct = "text/plain"
} else if matches(javascriptTypes) {
// Serve JavaScript files as plain text to prevent XSS attacks
ct = "text/plain"
}

if matches([]string{"text/"}) || ctx.QueryBool("render") {
if !strings.Contains(ct, "charset=") {
cs, err := charset.DetectEncoding(buf)
if err != nil {
log.Error("Detect raw file %s charset failed: %v, using by default utf-8", name, err)
cs = "utf-8"
}
ct += "; charset=" + cs
}
} else if matches([]string{"image/", "application/pdf"}) {
ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name))
ctx.Resp.Header().Set("Access-Control-Expose-Headers", "Content-Disposition")
if base.IsSVGImageFile(buf) {
ctx.Resp.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")
ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")
ctx.Resp.Header().Set("Content-Type", base.SVGMimeType)
}
} else {
ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`attachment; filename="%s"`, name))
ctx.Resp.Header().Set("Access-Control-Expose-Headers", "Content-Disposition")
}

ctx.Resp.Header().Set("Content-Type", strings.ToLower(ct))
tslocum marked this conversation as resolved.
Show resolved Hide resolved
ctx.Resp.Header().Set("X-Content-Type-Options", "nosniff")
ctx.Resp.Header().Set("Content-Security-Policy", "default-src 'none'; style-src 'unsafe-inline'; sandbox")

_, err = ctx.Resp.Write(buf)
if err != nil {
return err
Expand Down