From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Fri, 15 Jan 2016 16:18:59 +0100
Subject: XSS in cgit
In-Reply-To: <CAHmME9qJA5q_n2-+mRsh6tqNdXtRd5e_28JFFQF4RTKjKHjaxQ@mail.gmail.com>
References: <CAHmME9pf_TjMHYiNuqC4fF5i69w+ntV+Rgv_Tt5c2Y7MnCtgKA@mail.gmail.com>
 <20160113191100.GA1660@dcvr.yhbt.net>
 <CAHmME9qJA5q_n2-+mRsh6tqNdXtRd5e_28JFFQF4RTKjKHjaxQ@mail.gmail.com>
Message-ID: <CAHmME9odymyXwoAT2qtuvVciEAdGLK44bzyumRf+yPWaVnJkZQ@mail.gmail.com>

Hi Michael,

Care to enlighten us what the use case behind 42effc9 [1] was?

Thanks,
Jason

[1] http://git.zx2c4.com/cgit/commit/?id=42effc939090b2fbf1b2b76cd1d9c30fabcd230e

On Fri, Jan 15, 2016 at 12:34 PM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
>
> On Jan 13, 2016 9:11 PM, "Eric Wong" <normalperson at yhbt.net> wrote:
>>
>> "Jason A. Donenfeld" <Jason at zx2c4.com> wrote:
>> > Given all this, could somebody remind me why we have both /plain and
>> > /blob handlers? And if it's still necessary to maintain a distinction?
>> > If not, I will gladly accept patches to unify these.
>>
>> IIRC, the main difference was blob allows serving tree objects
>> as-is in binary form while plain generates an HTML directory listing.
>
> Thanks, this is what I thought, which leads me to the more relevant
> question:
>
> Given that the /blob handler returns binary directory data, it must conform
> to a particular API in order to be useful. Was the recently removed
> /blob/?mimetype= query string parameter part of such an API? Have we maimed
> something useful?