- Updated install sh view code to return plain/text mime/content type…

…. This allows browsers to view the raw text without prompting to DL the file. - Updated index.html. - Added Procfile for heroku.
djm · Jul 16, 2013 · 573dad6 · 573dad6
1 parent 22f65c0
commit 573dad6
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 3 deletions.
diff --git a/Procfile b/Procfile
@@ -0,0 +1 @@
+web: gunicorn proof_of_concept:app
diff --git a/proof_of_concept.py b/proof_of_concept.py
@@ -1,4 +1,5 @@
-from flask import Flask, render_template, request, send_from_directory
+from flask import (Flask, make_response, render_template, request,
+                   send_from_directory)
 
 
 app = Flask(__name__)
@@ -21,7 +22,11 @@ def install_sh():
         path = 'sh/nasty.sh'
     else:
         path = 'sh/nice.sh'
-    return send_from_directory(app.static_folder, path)
+    to_serve = send_from_directory(app.static_folder, path)
+    response = make_response(to_serve)
+    # We want the raw text viewable in the browser, not for the file to DL.
+    response.headers['Content-Type'] = 'text/plain'
+    return response
 
 
 if __name__ == "__main__":

diff --git a/templates/index.html b/templates/index.html
@@ -24,7 +24,7 @@
 </head>
 <body>
     <h1>Proof of Concept</h1>
-    <h2>Piping to sh via curl</h2>
+    <h2>Piping to sh via curl has hidden (as well as obvious) dangers.</h2>
     <p>
         <code>curl -s <a href="{{ url_for('install_sh', _external=True) }}" title="View install.sh source">{{ url_for('install_sh', _external=True) }}</a> | sh</code>
     </p>