From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff King Subject: Re: [BUG] gitweb: XSS vulnerability of RSS feed Date: Tue, 13 Nov 2012 12:04:52 -0500 Message-ID: <20121113170452.GE20361@sigill.intra.peff.net> References: <20121111232820.284510@gmx.net> <20121112202413.GD4623@sigill.intra.peff.net> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Cc: glpk xypron , git@vger.kernel.org, jnareb@gmail.com, Junio C Hamano , "Jason J Pyeron CTR (US)" , Andreas Schwab To: Drew Northup X-From: git-owner@vger.kernel.org Tue Nov 13 18:05:13 2012 Return-path: Envelope-to: gcvg-git-2@plane.gmane.org Received: from vger.kernel.org ([209.132.180.67]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TYJvE-0005fd-IF for gcvg-git-2@plane.gmane.org; Tue, 13 Nov 2012 18:05:12 +0100 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755025Ab2KMRE6 (ORCPT ); Tue, 13 Nov 2012 12:04:58 -0500 Received: from 75-15-5-89.uvs.iplsin.sbcglobal.net ([75.15.5.89]:47601 "EHLO peff.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754095Ab2KMRE5 (ORCPT ); Tue, 13 Nov 2012 12:04:57 -0500 Received: (qmail 26744 invoked by uid 107); 13 Nov 2012 17:05:45 -0000 Received: from sigill.intra.peff.net (HELO sigill.intra.peff.net) (10.0.0.7) (smtp-auth username relayok, mechanism cram-md5) by peff.net (qpsmtpd/0.84) with ESMTPA; Tue, 13 Nov 2012 12:05:45 -0500 Received: by sigill.intra.peff.net (sSMTP sendmail emulation); Tue, 13 Nov 2012 12:04:52 -0500 Content-Disposition: inline In-Reply-To: Sender: git-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: git@vger.kernel.org Archived-At: On Tue, Nov 13, 2012 at 09:44:06AM -0500, Drew Northup wrote: > I don't buy the argument that we don't need to clean up the input as > well. There are scant few of us that are going to name a file > "" in this world (I am > probably one of them). Input validation is key to keeping problems > like this from coming up repeatedly as those writing the guts of > programs are typically more interested in getting the "assigned task" > done and reporting the output to the user in a safe manner. Oh, you absolutely do need to clean up the input side. And we do. Notice how validate_pathname cleans out dots that could allow an attacker to do a "../../etc/passwd" attack. But the input validation is _different_ than the output escaping. We are turning arbitrary junk from the user into something we know is safe to treat as a filename. Our goal is protecting the filesystem and the server, and we do that already. Protecting the browser on output is a different problem, and happens only when we are sending to the browser. As far as "people will not use