From 00705e9d99e74d5a4057b0202e447a6ae9296445 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Jul 27 2016 07:27:45 +0000
Subject: Avoid all html related mimetypes and force the download if any


This avoids potentially running html code given by the user

---

diff --git a/pagure/ui/issues.py b/pagure/ui/issues.py
index ebaae4d..2b07857 100644
--- a/pagure/ui/issues.py
+++ b/pagure/ui/issues.py
@@ -942,16 +942,20 @@ def view_issue_raw_file(repo, filename=None, username=None):
     if not mimetype and data[:2] == '#!':
         mimetype = 'text/plain'
 
+    headers = {}
     if not mimetype:
         if '\0' in data:
             mimetype = 'application/octet-stream'
         else:
             mimetype = 'text/plain'
+    elif 'html' in mimetype:
+        mimetype = 'application/octet-stream'
+        headers['Content-Disposition'] = 'attachment'
 
     if mimetype.startswith('text/') and not encoding:
         encoding = chardet.detect(ktc.to_bytes(data))['encoding']
 
-    headers = {'Content-Type': mimetype}
+    headers['Content-Type'] = mimetype
     if encoding:
         headers['Content-Encoding'] = encoding