From: "Jakub Narębski" <jnareb@gmail.com>
To: Jeff King <peff@peff.net>
Cc: Drew Northup <n1xim.email@gmail.com>,
glpk xypron <xypron.glpk@gmx.de>,
git@vger.kernel.org, Junio C Hamano <gitster@pobox.com>,
"Jason J Pyeron CTR (US)" <jason.j.pyeron.ctr@mail.mil>,
Andreas Schwab <schwab@linux-m68k.org>
Subject: Re: [BUG] gitweb: XSS vulnerability of RSS feed
Date: Tue, 13 Nov 2012 18:22:56 +0100 [thread overview]
Message-ID: <CANQwDwcNXPhA3Qe2K_GLuh3F8DObDQ+Wn_PHhTkJqM+4D+SK0w@mail.gmail.com> (raw)
In-Reply-To: <20121113170452.GE20361@sigill.intra.peff.net>
On Tue, Nov 13, 2012 at 6:04 PM, Jeff King <peff@peff.net> wrote:
> On Tue, Nov 13, 2012 at 09:44:06AM -0500, Drew Northup wrote:
>> Besides, inserting one call to esc_html only fixes one attack path. I
>> didn't look to see if all others were already covered.
>
> Properly quoting output is something that the web framework should do
> for you. gitweb uses CGI.pm, which does help with that, but we do not
> use it consistently. If there are other problematic areas, I think the
> best path forward is to use our framework more.
Well, calling CGI.pm a _framework_ is overly generous, but it does
include some HTML generation subroutines / methods, and gitweb
makes use of them, especially $cgi->a() for links.
But it cannot help in this case, because here we are generating XML:
RSS or Atom feed. There was proposal some time ago to switch
to using XML::FeedPP or XML::Atom::Feed + XML::RSS::Feed for
feed generation.
Perhaps it is high time to switch to some Perl web (micro)framework,
like Dancer, Mojolicious or Catalyst... but not requiring extra modules
has its advantages (and there always exist Gitalist).
--
Jakub Narebski
next prev parent reply other threads:[~2012-11-13 17:23 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-11 23:28 [BUG] gitweb: XSS vulnerability of RSS feed glpk xypron
2012-11-12 18:55 ` Drew Northup
2012-11-12 20:24 ` Jeff King
2012-11-12 20:27 ` Jeff King
2012-11-12 20:36 ` Junio C Hamano
2012-11-12 21:13 ` Jakub Narębski
2012-11-12 21:34 ` Jeff King
2012-11-13 14:44 ` Drew Northup
2012-11-13 15:19 ` Jakub Narębski
2012-11-13 15:45 ` Kevin
2012-11-13 15:57 ` Jakub Narębski
2012-11-13 17:04 ` Jeff King
2012-11-13 17:22 ` Jakub Narębski [this message]
2012-11-12 23:09 ` Andreas Schwab
2012-11-13 8:31 ` Pyeron, Jason J CTR (US)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANQwDwcNXPhA3Qe2K_GLuh3F8DObDQ+Wn_PHhTkJqM+4D+SK0w@mail.gmail.com \
--to=jnareb@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=jason.j.pyeron.ctr@mail.mil \
--cc=n1xim.email@gmail.com \
--cc=peff@peff.net \
--cc=schwab@linux-m68k.org \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).