From 573dad6169c08207657c532da281aa1aeaeb70bc Mon Sep 17 00:00:00 2001
From: Darian Moody <mail@djm.org.uk>
Date: Tue, 16 Jul 2013 01:13:17 +0100
Subject: [PATCH] - Updated install sh view code to return plain/text
 mime/content type. This allows browsers to view the raw text without
 prompting to DL the file. - Updated index.html. - Added Procfile for heroku.

---
 Procfile             | 1 +
 proof_of_concept.py  | 9 +++++++--
 templates/index.html | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 Procfile

diff --git a/Procfile b/Procfile
new file mode 100644
index 0000000..b23c3d6
--- /dev/null
+++ b/Procfile
@@ -0,0 +1 @@
+web: gunicorn proof_of_concept:app
diff --git a/proof_of_concept.py b/proof_of_concept.py
index c9f490b..afd9634 100644
--- a/proof_of_concept.py
+++ b/proof_of_concept.py
@@ -1,4 +1,5 @@
-from flask import Flask, render_template, request, send_from_directory
+from flask import (Flask, make_response, render_template, request,
+                   send_from_directory)
 
 
 app = Flask(__name__)
@@ -21,7 +22,11 @@ def install_sh():
         path = 'sh/nasty.sh'
     else:
         path = 'sh/nice.sh'
-    return send_from_directory(app.static_folder, path)
+    to_serve = send_from_directory(app.static_folder, path)
+    response = make_response(to_serve)
+    # We want the raw text viewable in the browser, not for the file to DL.
+    response.headers['Content-Type'] = 'text/plain'
+    return response
 
 
 if __name__ == "__main__":
diff --git a/templates/index.html b/templates/index.html
index d78cdbf..86e94f4 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -24,7 +24,7 @@
 </head>
 <body>
     <h1>Proof of Concept</h1>
-    <h2>Piping to sh via curl</h2>
+    <h2>Piping to sh via curl has hidden (as well as obvious) dangers.</h2>
     <p>
         <code>curl -s <a href="{{ url_for('install_sh', _external=True) }}" title="View install.sh source">{{ url_for('install_sh', _external=True) }}</a> | sh</code>
     </p>