Do not allow caller to specify arbitrary content-types

author Ian Jackson <ijackson@chiark.greenend.org.uk>

Wed, 23 Sep 2009 14:12:46 +0000 (15:12 +0100)

committer Ian Jackson <ijackson@chiark.greenend.org.uk>

Wed, 23 Sep 2009 14:12:46 +0000 (15:12 +0100)
author Ian Jackson <ijackson@chiark.greenend.org.uk>
Wed, 23 Sep 2009 14:12:46 +0000 (15:12 +0100)
committer Ian Jackson <ijackson@chiark.greenend.org.uk>
Wed, 23 Sep 2009 14:12:46 +0000 (15:12 +0100)
diff --git a/yarrg/web/qtextstringcheck b/yarrg/web/qtextstringcheck

index 4fbfc546a88903180506ad850ba5411b288bbaa5..9dce8287e208d8213418dd6432e49898c998a74a 100755 (executable)
--- a/yarrg/web/qtextstringcheck
+++ b/yarrg/web/qtextstringcheck
@@ -129,7 +129,10 @@ $emsg='' if !defined $emsg;
  $debugf->("QTSC EMSG='$emsg' RESULTS='@results'");
  
  if ($format =~ /json/) {
-       $r->content_type($ctype or $format);
+       $ctype ||= $format;
+       die unless grep { $_ eq $ctype }
+               qw(application/json text/plain text/xml);
+       $r->content_type($ctype);
         my $jobj= {
                 success => 1*!length $emsg,
                 show => (length $emsg      ? $emsg                       :
author	Ian Jackson <ijackson@chiark.greenend.org.uk>
	Wed, 23 Sep 2009 14:12:46 +0000 (15:12 +0100)
committer	Ian Jackson <ijackson@chiark.greenend.org.uk>
	Wed, 23 Sep 2009 14:12:46 +0000 (15:12 +0100)