From 2ad4b0f3dd671f65b386746960db9f8422a4023a Mon Sep 17 00:00:00 2001 From: Patrick G Date: Mon, 16 Jan 2017 18:53:10 -0500 Subject: [PATCH 1/4] Added ALWAYS_RENDER_RAW_FILES option to the repository section Used for serving raw files with the right content type. Only enable if you know what you are doing. Signed-off-by: Patrick G --- modules/setting/setting.go | 4 ++++ routers/repo/download.go | 6 +++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/modules/setting/setting.go b/modules/setting/setting.go index c490fb1d4202e..26ee22ef84fd4 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -156,6 +156,7 @@ var ( PullRequestQueueLength int PreferredLicenses []string DisableHTTPGit bool + AlwaysRenderRawFiles bool // Repository editor settings Editor struct { @@ -179,6 +180,7 @@ var ( PullRequestQueueLength: 1000, PreferredLicenses: []string{"Apache License 2.0,MIT License"}, DisableHTTPGit: false, + AlwaysRenderRawFiles: false, // Repository editor settings Editor: struct { @@ -824,6 +826,8 @@ please consider changing to GITEA_CUSTOM`) if !filepath.IsAbs(Repository.Upload.TempPath) { Repository.Upload.TempPath = path.Join(workDir, Repository.Upload.TempPath) } + + Repository.AlwaysRenderRawFiles = sec.Key("ALWAYS_RENDER_RAW_FILES").MustBool() sec = Cfg.Section("picture") AvatarUploadPath = sec.Key("AVATAR_UPLOAD_PATH").MustString(path.Join(AppDataPath, "avatars")) diff --git a/routers/repo/download.go b/routers/repo/download.go index 85e9fc64c97ed..0165b41c63c8f 100644 --- a/routers/repo/download.go +++ b/routers/repo/download.go @@ -12,6 +12,7 @@ import ( "code.gitea.io/git" "code.gitea.io/gitea/modules/base" + "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/context" ) @@ -28,7 +29,9 @@ func ServeData(ctx *context.Context, name string, reader io.Reader) error { // Google Chrome dislike commas in filenames, so let's change it to a space name = strings.Replace(name, ",", " ", -1) - if base.IsTextFile(buf) || ctx.QueryBool("render") { + if setting.Repository.AlwaysRenderRawFiles { + ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name)) + } else if base.IsTextFile(buf) || ctx.QueryBool("render") { ctx.Resp.Header().Set("Content-Type", "text/plain; charset=utf-8") } else if base.IsImageFile(buf) || base.IsPDFFile(buf) { ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name)) @@ -41,6 +44,7 @@ func ServeData(ctx *context.Context, name string, reader io.Reader) error { return err } + // ServeBlob download a git.Blob func ServeBlob(ctx *context.Context, blob *git.Blob) error { dataRc, err := blob.Data() From 0adb06c491a19861265d9580c2d6ee7a5f526664 Mon Sep 17 00:00:00 2001 From: Patrick G Date: Mon, 16 Jan 2017 20:16:50 -0500 Subject: [PATCH 2/4] Add ALWAYS_RENDER_RAW_FILES to app.ini --- conf/app.ini | 3 +++ 1 file changed, 3 insertions(+) diff --git a/conf/app.ini b/conf/app.ini index 1390d4537ab24..9b158bfbcaec9 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -23,6 +23,9 @@ PULL_REQUEST_QUEUE_LENGTH = 1000 PREFERRED_LICENSES = Apache License 2.0,MIT License ; Disable ability to interact with repositories by HTTP protocol DISABLE_HTTP_GIT = false +; Force correct content-type on raw files. +; This can be a security issue if improperly used because it allows html from a repo to run on the same domain as gitea. +ALWAYS_RENDER_RAW_FILES = false [repository.editor] ; List of file extensions that should have line wraps in the CodeMirror editor From 041735640a504aebf02be945a2f9bfb5cfd63803 Mon Sep 17 00:00:00 2001 From: Patrick G Date: Mon, 16 Jan 2017 20:18:57 -0500 Subject: [PATCH 3/4] Removed extra blank lines --- routers/repo/download.go | 1 - 1 file changed, 1 deletion(-) diff --git a/routers/repo/download.go b/routers/repo/download.go index 0165b41c63c8f..07aebc5c44a26 100644 --- a/routers/repo/download.go +++ b/routers/repo/download.go @@ -44,7 +44,6 @@ func ServeData(ctx *context.Context, name string, reader io.Reader) error { return err } - // ServeBlob download a git.Blob func ServeBlob(ctx *context.Context, blob *git.Blob) error { dataRc, err := blob.Data() From f2d9e8401ffbfcfc08b49958fbbd6aa7ca085433 Mon Sep 17 00:00:00 2001 From: Patrick G Date: Sat, 28 Jan 2017 20:46:07 -0500 Subject: [PATCH 4/4] Fixed mimetypes --- routers/repo/download.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/routers/repo/download.go b/routers/repo/download.go index 07aebc5c44a26..9557294b682f9 100644 --- a/routers/repo/download.go +++ b/routers/repo/download.go @@ -8,6 +8,8 @@ import ( "fmt" "io" "strings" + "path/filepath" + "mime" "code.gitea.io/git" @@ -31,6 +33,10 @@ func ServeData(ctx *context.Context, name string, reader io.Reader) error { if setting.Repository.AlwaysRenderRawFiles { ctx.Resp.Header().Set("Content-Disposition", fmt.Sprintf(`inline; filename="%s"`, name)) + mimetype := mime.TypeByExtension(filepath.Ext(name)) + if mimetype != "" { + ctx.Resp.Header().Set("Content-Type", mimetype) + } } else if base.IsTextFile(buf) || ctx.QueryBool("render") { ctx.Resp.Header().Set("Content-Type", "text/plain; charset=utf-8") } else if base.IsImageFile(buf) || base.IsPDFFile(buf) {