X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=lib%2FPublicInbox%2FWwwAttach.pm;h=87844bf3f0e466a1b686f4e54eb0a9a6d5dd60ad;hb=refs%2Fheads%2Fmaster;hp=0fe63e4232510a4facb9d2fe724c3fbd23af1bc3;hpb=e3b57fe9f68e80fc85cff46ccec9246b670f1312;p=public-inbox.git

diff --git a/lib/PublicInbox/WwwAttach.pm b/lib/PublicInbox/WwwAttach.pm
index 0fe63e42..87844bf3 100644
--- a/lib/PublicInbox/WwwAttach.pm
+++ b/lib/PublicInbox/WwwAttach.pm
@@ -1,27 +1,27 @@
-# Copyright (C) 2016-2020 all contributors <meta@public-inbox.org>
+# Copyright (C) all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
 
 # For retrieving attachments from messages in the WWW interface
 package PublicInbox::WwwAttach; # internal package
 use strict;
+use v5.10.1;
 use parent qw(PublicInbox::GzipFilter);
-use bytes (); # only for bytes::length
-use PublicInbox::EmlContentFoo qw(parse_content_type);
 use PublicInbox::Eml;
 
 sub referer_match ($) {
 	my ($ctx) = @_;
 	my $env = $ctx->{env};
-	my $referer = $env->{HTTP_REFERER} // '';
+	return 1 if $env->{REQUEST_METHOD} eq 'POST';
+	my $referer = lc($env->{HTTP_REFERER} // '');
 	return 1 if $referer eq ''; # no referer is always OK for wget/curl
 
 	# prevent deep-linking from other domains on some browsers (Firefox)
 	# n.b.: $ctx->{ibx}->base_url($env) with INBOX_URL won't work
 	# with dillo, we can only match "$url_scheme://$HTTP_HOST/" without
 	# path components
-	my $base_url = $env->{'psgi.url_scheme'} . '://' .
+	my $base_url = lc($env->{'psgi.url_scheme'} . '://' .
 			($env->{HTTP_HOST} //
-			 "$env->{SERVER_NAME}:$env->{SERVER_PORT}") . '/';
+			 "$env->{SERVER_NAME}:$env->{SERVER_PORT}") . '/');
 	index($referer, $base_url) == 0;
 }
 
@@ -31,9 +31,7 @@ sub get_attach_i { # ->each_part callback
 	return if $idx ne $ctx->{idx}; # [0-9]+(?:\.[0-9]+)+
 	my $res = $ctx->{res};
 	$res->[0] = 200;
-	my $ct = $part->content_type;
-	$ct = parse_content_type($ct) if $ct;
-
+	my $ct = $part->ct;
 	if ($ct && (($ct->{type} || '') eq 'text')) {
 		# display all text as text/plain:
 		my $cset = $ct->{attributes}->{charset};
@@ -49,11 +47,16 @@ sub get_attach_i { # ->each_part callback
 			$part = $part->body;
 		} else {
 			$res->[0] = 403;
-			$res->[1]->[1] = 'text/plain';
-			$part = "Deep-linking prevented\n";
+			$res->[1]->[1] = 'text/html';
+			$part = <<"";
+<html><head><title>download
+attachment</title><body><pre>Deep-linking prevented</pre><form
+method=post\naction=""><input type=submit value="Download attachment"
+/></form></body></html>
+
 		}
 	}
-	push @{$res->[1]}, 'Content-Length', bytes::length($part);
+	push @{$res->[1]}, 'Content-Length', length($part);
 	$res->[2]->[0] = $part;
 }