[Fusionforge-commits] FusionForge branch master updated. b566fdc8f60bd496cf961c7ecf1838162f2f3ec2

Sylvain Beucler beuc-inria at fusionforge.org
Tue Dec 16 17:00:14 CET 2014


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".

The branch, master has been updated
       via  b566fdc8f60bd496cf961c7ecf1838162f2f3ec2 (commit)
      from  af691f14a7e39500b8fc90a43b09cb4ca4e5506d (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit b566fdc8f60bd496cf961c7ecf1838162f2f3ec2
Author: Sylvain Beucler <sylvain.beucler at inria.fr>
Date:   Tue Dec 16 16:59:30 2014 +0100

    viewvc: print 'co' body only once; fix warnings; simplify PHP syntax

diff --git a/src/www/scm/viewvc.php b/src/www/scm/viewvc.php
index 70ca8d6..717ae36 100644
--- a/src/www/scm/viewvc.php
+++ b/src/www/scm/viewvc.php
@@ -141,10 +141,12 @@ if (count($exploded_content) > 1) {
 	$content_type = '';
 	$charset = '';
 	foreach ($headers as $header) {
-		header($header);
 		if (preg_match('/^Content-Type:\s*(([^;]*)(\s*;\s*charset=(.*))?)/i', $header, $matches)) {
 			$content_type = $matches[2];
-			$charset = $matches[4];
+			if (isset($matches[4])) $charset = $matches[4];
+			// we'll validate content-type or transcode body below
+		} else {
+			header($header);
 		}
 	}
 } else {
@@ -158,30 +160,29 @@ if (!isset($_GET['view'])) {
 switch ($_GET['view']) {
 	case 'tar':
 	case 'co':
-	case 'patch': {
+	case 'patch':
 		$sysdebug_enable = false;
-		if (isset($content_type)) {
-			switch ($content_type) {
-				case (preg_match('/text\/.*/', $content_type) ? true : false):
-				case (preg_match('/.*\/javascript/', $content_type) ? true : false): {
-					header('Content-Type: text/plain');
-					break;
-				}
-			}
+		// Force content-type for any text/* or */javascript, to avoid XSS
+		if (!empty($content_type) &&
+			(preg_match('/text\/.*/', $content_type) ||
+			 preg_match('/.*\/javascript/', $content_type))) {
+				header('Content-Type: text/plain'
+					  . (!empty($charset) ? ";charset=$charset" : ''));
 		}
 		echo $body;
-	}
-	default: {
+		break;
+	default:
 		// If we output html and we found the mbstring extension, we
 		// should try to encode the output of ViewCVS in UTF-8
-		if ($charset != 'UTF-8' && extension_loaded('mbstring'))
-			$body = mb_convert_encoding($body, 'UTF-8', $encoding);
+		if (!empty($charset) && $charset != 'UTF-8' && extension_loaded('mbstring')) {
+			$body = mb_convert_encoding($body, 'UTF-8', $charset);
+		}
 		scm_header(array('title'=>_("SCM Repository"),
 						 'group'=>$Group->getID(),
 						 'inframe'=>1));
 		echo $body;
 		scm_footer(array('inframe'=>1));
-	}
+		break;
 }
 
 // Local Variables:

-----------------------------------------------------------------------

Summary of changes:
 src/www/scm/viewvc.php |   33 +++++++++++++++++----------------
 1 file changed, 17 insertions(+), 16 deletions(-)


hooks/post-receive
-- 
FusionForge



More information about the Fusionforge-commits mailing list