From: Jakub Narebski <jnareb@gmail.com>
To: git@vger.kernel.org
Cc: Matt McCutchen <matt@mattmccutchen.net>,
Jakub Narebski <jnareb@gmail.com>
Subject: [PATCH] gitweb: Fix usability of $prevent_xss
Date: Sat, 4 Jun 2011 10:43:35 +0200 [thread overview]
Message-ID: <1307177015-880-1-git-send-email-jnareb@gmail.com> (raw)
With XSS prevention on (enabled using $prevent_xss), blobs
('blob_plain') of all types except a few known safe ones are served
with "Content-Disposition: attachment". However the check was too
strict; it didn't take into account optional parameter attributes,
media-type = type "/" subtype *( ";" parameter )
as described in RFC 2616
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.17
http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
This fixes that, and it for example treats following as safe MIME
media type:
text/plain; charset=utf-8
Signed-off-by: Jakub Narebski <jnareb@gmail.com>
---
The fact that it this buglet was present for so long, since its
introduction by Matt McCutchen in 7e1100e (gitweb: add $prevent_xss
option to prevent XSS by repository content, 2009-02-07) without
complaint shows that not many people are using this feature...
That, and that we don't have automated tests for that.
gitweb/gitweb.perl | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index dc3f37d..85acbed 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -6139,7 +6139,7 @@ sub git_blob_plain {
# want to be sure not to break that by serving the image as an
# attachment (though Firefox 3 doesn't seem to care).
my $sandbox = $prevent_xss &&
- $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
+ $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))(?:[ ;]|$)!;
print $cgi->header(
-type => $type,
--
1.7.5
next reply other threads:[~2011-06-04 8:44 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-06-04 8:43 Jakub Narebski [this message]
2011-06-04 21:15 ` Prevalence of $prevent_xss Matt McCutchen
2011-06-04 21:53 ` Jakub Narebski
2011-06-05 9:03 ` Implementing CSP (Content Security Policy) for gitweb in the future Jakub Narebski
2011-06-05 12:52 ` Matt McCutchen
2011-06-05 13:33 ` Jakub Narebski
2011-06-05 16:46 ` Matt McCutchen
2011-06-08 10:27 ` Jakub Narebski
2011-06-08 17:31 ` J.H.
2011-06-10 12:01 ` [PATCH] gitweb: Make $prevent_xss protection for 'blob_plain' more usable Jakub Narebski
2011-06-13 16:47 ` Junio C Hamano
2011-06-13 21:49 ` Jakub Narebski
2011-06-13 23:12 ` Junio C Hamano
2011-06-14 1:33 ` Jakub Narebski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1307177015-880-1-git-send-email-jnareb@gmail.com \
--to=jnareb@gmail.com \
--cc=git@vger.kernel.org \
--cc=matt@mattmccutchen.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).