From c810347487961a59b3d8dfb2fed123f49dc22ed4 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Wed, 23 Sep 2009 15:12:46 +0100
Subject: [PATCH] Do not allow caller to specify arbitrary content-types

---
 yarrg/web/qtextstringcheck | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/yarrg/web/qtextstringcheck b/yarrg/web/qtextstringcheck
index 4fbfc54..9dce828 100755
--- a/yarrg/web/qtextstringcheck
+++ b/yarrg/web/qtextstringcheck
@@ -129,7 +129,10 @@ $emsg='' if !defined $emsg;
 $debugf->("QTSC EMSG='$emsg' RESULTS='@results'");
 
 if ($format =~ /json/) {
-	$r->content_type($ctype or $format);
+	$ctype ||= $format;
+	die unless grep { $_ eq $ctype }
+		qw(application/json text/plain text/xml);
+	$r->content_type($ctype);
 	my $jobj= {
 		success => 1*!length $emsg,
 		show => (length $emsg      ? $emsg                       :
-- 
2.30.2