From 979b114175c286537e1428524715ca0f5e79df1a Mon Sep 17 00:00:00 2001
From: sbassett <sbassett@wikimedia.org>
Date: Mon, 13 Jan 2020 15:17:39 -0600
Subject: [PATCH] SECURITY: Update mime and content types downloads

Change the following mime and content types from
"text/html; charset=utf-8" to the appropriate values for
csv and tsv file downloads:

* csv: "text/csv; charset=utf-8"
* tsv: "text/tab-separated-values; charset=utf-8"

Bug: T242355
---
 quarry/web/output.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/quarry/web/output.py b/quarry/web/output.py
index f8b4c48..3b82bed 100644
--- a/quarry/web/output.py
+++ b/quarry/web/output.py
@@ -107,11 +107,16 @@ def separated_formatter(reader, resultset_id, delim=','):
     rows = _stringify_results(_csv_injection_escape(
         reader.get_rows(resultset_id)))
 
+    mime_type = 'text/csv' if delim == ',' else 'text/tab-separated-values'
+    content_type = mime_type + '; charset=utf-8'
+
     def respond(stream):
         csvobject = csv.writer(stream, delimiter=delim)
         csvobject.writerows(rows)
 
-    return Response(_IterI(respond), content_type='text/html; charset=utf-8')
+    return Response(_IterI(respond),
+                    mimetype=mime_type,
+                    content_type=content_type)
 
 
 def json_line_formatter(reader, resultset_id):
-- 
2.22.0