Monorepo for Tangled
tangled.org
appview/repo: fallback to octet-stream for all unsupported media types
Fix: <https://tangled.org/tangled.org/core/issues/552>
Signed-off-by: Seongmin Lee <git@boltless.me>
author
Seongmin Lee
committer
Tangled
date
(May 19, 2026, 11:11 AM +0300)
commit
6c1043c5
6c1043c5f8289a288affd0e2080864e689fa0f93
parent
43753e11
43753e11917e5ce80918e7066df8dcaac47cd6de
change-id
pzqytxkz
pzqytxkzymqqsnuvokpwlmznxlxszvlz
+4
-4
+4
-4
appview/repo/blob.go
+4
-4
appview/repo/blob.go
···
180
180
// Serve all textual content as plain text so the browser never
181
181
// interprets knot-supplied markup or scripts.
182
182
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
183
-
case safeBinaryMIMEType(mediaType) || contentType == "application/octet-stream":
183
+
case safeBinaryMIMEType(mediaType):
184
184
// Use the normalized type, never the raw knot-supplied string.
185
185
w.Header().Set("Content-Type", mediaType)
186
186
default:
187
-
w.WriteHeader(http.StatusUnsupportedMediaType)
188
-
w.Write([]byte("unsupported content type"))
189
-
return
187
+
// If mediatype is unknown or it's unsafe (e.g. SVG which allows XSS,)
188
+
// fallback to octet-stream
189
+
w.Header().Set("Content-Type", "application/octet-stream")
190
190
}
191
191
if _, err := io.Copy(w, resp.Body); err != nil {
192
192
l.Error("error streaming knotmirror response", "err", err)