Bug 637981: (CVE-2011-2379) [SECURITY] "Raw Unified" patch diffs can cause XSS on this domain in IE 6-8 and Safari

r/a=LpSolit
author: Byron Jones <glob@mozilla.com> 2011-08-04 22:33:28 +0200
committer: Frédéric Buclin <LpSolit@gmail.com> 2011-08-04 22:33:28 +0200
commit: 818ad5e10408f6b513ac276f575bceb082401142 (patch)
tree: 450f4742368ac5ff584821185d0ddbbd323d4dc8 /Bugzilla
parent: 10e5c4a1c297d0c7a22f866b9941ac71f70d0dd6 (diff)
download: bugzilla-818ad5e10408f6b513ac276f575bceb082401142.tar.gz
bugzilla-818ad5e10408f6b513ac276f575bceb082401142.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/Bugzilla/Attachment/PatchReader.pm b/Bugzilla/Attachment/PatchReader.pm
index cfc7610f4..01a624a8f 100644
--- a/Bugzilla/Attachment/PatchReader.pm
+++ b/Bugzilla/Attachment/PatchReader.pm
@@ -37,6 +37,7 @@ sub process_diff {
         $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
         # Actually print out the patch.
         print $cgi->header(-type => 'text/plain',
+                           -x_content_type_options => "nosniff",
                            -expires => '+3M');
         disable_utf8();
         $reader->iterate_string('Attachment ' . $attachment->id, $attachment->data);
@@ -118,6 +119,7 @@ sub process_interdiff {
         $last_reader->sends_data_to(new PatchReader::DiffPrinter::raw());
         # Actually print out the patch.
         print $cgi->header(-type => 'text/plain',
+                           -x_content_type_options => "nosniff",
                            -expires => '+3M');
         disable_utf8();
     }
author	Byron Jones <glob@mozilla.com>	2011-08-04 22:33:28 +0200
committer	Frédéric Buclin <LpSolit@gmail.com>	2011-08-04 22:33:28 +0200
commit	818ad5e10408f6b513ac276f575bceb082401142 (patch)
tree	450f4742368ac5ff584821185d0ddbbd323d4dc8 /Bugzilla
parent	10e5c4a1c297d0c7a22f866b9941ac71f70d0dd6 (diff)
download	bugzilla-818ad5e10408f6b513ac276f575bceb082401142.tar.gz bugzilla-818ad5e10408f6b513ac276f575bceb082401142.tar.xz