From 66093b8234bd86cfcbac0cd8029ae53d5b117803 Mon Sep 17 00:00:00 2001
From: Michael Scherer <misc@redhat.com>
Date: Jul 17 2018 12:45:53 +0000
Subject: Do not serve svg inline


SVG can contain javascript, so that's a easy vector for XSS on pagure.

Fix CVE-2018-1002155

Signed-off-by: Michael Scherer <misc@redhat.com>

---

diff --git a/pagure/lib/mimetype.py b/pagure/lib/mimetype.py
index f70443b..75afcb6 100644
--- a/pagure/lib/mimetype.py
+++ b/pagure/lib/mimetype.py
@@ -54,7 +54,7 @@ def get_type_headers(filename, data):
     if not mimetype:
         return None
     headers = {'X-Content-Type-Options': 'nosniff'}
-    if 'html' in mimetype or 'javascript' in mimetype:
+    if 'html' in mimetype or 'javascript' in mimetype or 'svg' in mimetype:
         mimetype = 'application/octet-stream'
         headers['Content-Disposition'] = 'attachment'
     if encoding: