From a2d5afa6a83ab8f97dd344d72be537952255b3e8 Mon Sep 17 00:00:00 2001 From: Eric Wong Date: Sun, 19 Feb 2017 03:44:27 +0000 Subject: repobrowse: return git errors as text/plain, for now For now, this avoids an HTML injection vector. We'll try to have more consistent error reporting in the future. --- lib/PublicInbox/RepoGitDiff.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/PublicInbox/RepoGitDiff.pm b/lib/PublicInbox/RepoGitDiff.pm index 0e79f119..26728402 100644 --- a/lib/PublicInbox/RepoGitDiff.pm +++ b/lib/PublicInbox/RepoGitDiff.pm @@ -54,7 +54,7 @@ sub call_git_diff { $qsp->psgi_return($env, undef, sub { # parse header my ($r) = @_; if (!defined $r) { - [ 500, [ 'Content-Type', 'text/html' ], [ $git->err ]]; + [ 500, [ 'Content-Type', 'text/plain' ], [ $git->err ]]; } elsif ($r == 0) { [ 200, [ 'Content-Type', 'text/html' ], [ delete($req->{dhtml}). -- cgit v1.2.3-24-ge0c7