From b5e04680c755eab62f835634af93459a0f1ea215 Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@redhat.com>
Date: Jul 18 2018 13:21:28 +0000
Subject: Do not serve svg inline


SVG can contain javascript, so that's a easy vector for XSS on pagure.

Fix CVE-2018-1002155

Signed-off-by: Michael Scherer <misc@redhat.com>

---

diff --git a/pagure/lib/mimetype.py b/pagure/lib/mimetype.py
index 149b906..bd270bc 100644
--- a/pagure/lib/mimetype.py
+++ b/pagure/lib/mimetype.py
@@ -59,7 +59,7 @@ def get_type_headers(filename, data):
     if not mimetype:
         return None
     headers = {'X-Content-Type-Options': 'nosniff'}
-    if 'html' in mimetype or 'javascript' in mimetype:
+    if 'html' in mimetype or 'javascript' in mimetype or 'svg' in mimetype:
         mimetype = 'application/octet-stream'
         headers['Content-Disposition'] = 'attachment'
     if encoding: