• Kerri Miller's avatar
    Disable caching on API project/raw endpoint · d9693964
    Kerri Miller authored
    Caching of file contents creates an inconsistency in the value of the
    Content-Disposition header, allowing files that should only be sent as
    "attachment" to instead be returned as "inline," causing them to be
    evaluated and executed by the receiving client. This is due to how
    gitaly and the main Rails application coordinate around evaluating etags
    for content freshness. This fix addresses the issue by removing caching
    from this endpoint, but does not address the underlying issue (namely
    that Rails can not accurately determine the file type of the requested
    content, thus can not be responsible for determining appropriate or safe
    Content-Disposition.)
    d9693964
files.rb 7.75 KB