From: Junio C Hamano <gitster@pobox.com>
Date: Sun, 15 Feb 2009 09:44:11 +0000 (-0800)
Subject: Merge branch 'jn/gitweb-committag'
X-Git-Tag: v1.6.2-rc1~6
X-Git-Url: https://git.lorimer.id.au/gitweb.git/diff_plain/2a8644c7f163e4b76a36739ba936f8d5d91c3cf4?ds=inline;hp=-c

Merge branch 'jn/gitweb-committag'

* jn/gitweb-committag:
gitweb: Better regexp for SHA-1 committag match
---

2a8644c7f163e4b76a36739ba936f8d5d91c3cf4
diff --combined gitweb/gitweb.perl
index 5410874285,bec1af6b73..8dffa3fd53
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@@ -132,10 -132,6 +132,10 @@@ our $fallback_encoding = 'latin1'
  # - one might want to include '-B' option, e.g. '-B', '-M'
  our @diff_opts = ('-M'); # taken from git_commit
  
 +# Disables features that would allow repository owners to inject script into
 +# the gitweb domain.
 +our $prevent_xss = 0;
 +
  # information about snapshot formats that gitweb is capable of serving
  our %known_snapshot_formats = (
  	# name => {
@@@ -1368,7 -1364,7 +1368,7 @@@ sub format_log_line_html 
  	my $line = shift;
  
  	$line = esc_html($line, -nbsp=>1);
- 	if ($line =~ m/([0-9a-fA-F]{8,40})/) {
+ 	if ($line =~ m/\b([0-9a-fA-F]{8,40})\b/) {
  		my $hash_text = $1;
  		my $link =
  			$cgi->a({-href => href(action=>"object", hash=>$hash_text),
@@@ -4507,9 -4503,7 +4507,9 @@@ sub git_summary 
  
  	print "</table>\n";
  
 -	if (-s "$projectroot/$project/README.html") {
 +	# If XSS prevention is on, we don't include README.html.
 +	# TODO: Allow a readme in some safe format.
 +	if (!$prevent_xss && -s "$projectroot/$project/README.html") {
  		print "<div class=\"title\">readme</div>\n" .
  		      "<div class=\"readme\">\n";
  		insert_file("$projectroot/$project/README.html");
@@@ -4770,21 -4764,10 +4770,21 @@@ sub git_blob_plain 
  		$save_as .= '.txt';
  	}
  
 +	# With XSS prevention on, blobs of all types except a few known safe
 +	# ones are served with "Content-Disposition: attachment" to make sure
 +	# they don't run in our security domain.  For certain image types,
 +	# blob view writes an <img> tag referring to blob_plain view, and we
 +	# want to be sure not to break that by serving the image as an
 +	# attachment (though Firefox 3 doesn't seem to care).
 +	my $sandbox = $prevent_xss &&
 +		$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
 +
  	print $cgi->header(
  		-type => $type,
  		-expires => $expires,
 -		-content_disposition => 'inline; filename="' . $save_as . '"');
 +		-content_disposition =>
 +			($sandbox ? 'attachment' : 'inline')
 +			. '; filename="' . $save_as . '"');
  	undef $/;
  	binmode STDOUT, ':raw';
  	print <$fd>;