| commit | 4656bf47fca857df51b5d6f4b7b052192b3b2317 | |
| author | Shawn Pearce <spearce@spearce.org> | |
| Thu, 31 Jan 2013 21:02:07 +0000 (31 13:02 -0800) | ||
| committer | Junio C Hamano <gitster@pobox.com> | |
| Mon, 4 Feb 2013 18:22:36 +0000 (4 10:22 -0800) | ||
| tree | 91e4d6cf951f2964de99d454ec89e426753ac453 | treesnapshot (tar.gz zip) |
| parent | e1b6ff44d61bcdd91280c3f7c3c5ace32d4b7c52 | commitdiff |
Verify Content-Type from smart HTTP servers
Before parsing a suspected smart-HTTP response verify the returned
Content-Type matches the standard. This protects a client from
attempting to process a payload that smells like a smart-HTTP
server response.
JGit has been doing this check on all responses since the dawn of
time. I mistakenly failed to include it in git-core when smart HTTP
was introduced. At the time I didn't know how to get the Content-Type
from libcurl. I punted, meant to circle back and fix this, and just
plain forgot about it.
Signed-off-by: Shawn Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Before parsing a suspected smart-HTTP response verify the returned
Content-Type matches the standard. This protects a client from
attempting to process a payload that smells like a smart-HTTP
server response.
JGit has been doing this check on all responses since the dawn of
time. I mistakenly failed to include it in git-core when smart HTTP
was introduced. At the time I didn't know how to get the Content-Type
from libcurl. I punted, meant to circle back and fix this, and just
plain forgot about it.
Signed-off-by: Shawn Pearce <spearce@spearce.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>