From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Wed, 23 Sep 2009 14:12:46 +0000 (+0100)
Subject: Do not allow caller to specify arbitrary content-types
X-Git-Tag: 5.0^2~106
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~yarrgweb/git?p=ypp-sc-tools.db-live.git;a=commitdiff_plain;h=c810347487961a59b3d8dfb2fed123f49dc22ed4

Do not allow caller to specify arbitrary content-types
---

diff --git a/yarrg/web/qtextstringcheck b/yarrg/web/qtextstringcheck
index 4fbfc54..9dce828 100755
--- a/yarrg/web/qtextstringcheck
+++ b/yarrg/web/qtextstringcheck
@@ -129,7 +129,10 @@ $emsg='' if !defined $emsg;
 $debugf->("QTSC EMSG='$emsg' RESULTS='@results'");
 
 if ($format =~ /json/) {
-	$r->content_type($ctype or $format);
+	$ctype ||= $format;
+	die unless grep { $_ eq $ctype }
+		qw(application/json text/plain text/xml);
+	$r->content_type($ctype);
 	my $jobj= {
 		success => 1*!length $emsg,
 		show => (length $emsg      ? $emsg                       :