From: "Jakub Narębski" <jnareb@gmail.com>
To: Junio C Hamano <gitster@pobox.com>
Cc: Jeff King <peff@peff.net>, Drew Northup <n1xim.email@gmail.com>,
glpk xypron <xypron.glpk@gmx.de>,
git@vger.kernel.org
Subject: Re: [BUG] gitweb: XSS vulnerability of RSS feed
Date: Mon, 12 Nov 2012 22:13:27 +0100 [thread overview]
Message-ID: <CANQwDwdRTeaVS5cMic5gv9SP1A8Z1vruOsZBFfMDQDTZHBAtvQ@mail.gmail.com> (raw)
In-Reply-To: <7vmwymh83r.fsf@alter.siamese.dyndns.org>
On Mon, Nov 12, 2012 at 9:36 PM, Junio C Hamano <gitster@pobox.com> wrote:
> Jeff King <peff@peff.net> writes:
>> On Mon, Nov 12, 2012 at 03:24:13PM -0500, Jeff King wrote:
>>
>>> I think the right answer is going to be a well-placed call to esc_html.
>>
>> I'm guessing the right answer is this:
>>
>> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
>> index 10ed9e5..a51a8ba 100755
>> --- a/gitweb/gitweb.perl
>> +++ b/gitweb/gitweb.perl
>> @@ -8055,6 +8055,7 @@ sub git_feed {
>> $feed_type = 'history';
>> }
>> $title .= " $feed_type";
>> + $title = esc_html($title);
>> my $descr = git_get_project_description($project);
>> if (defined $descr) {
>> $descr = esc_html($descr);
>>
>> but I did not test it (and I am not that familiar with gitweb, so it is
>> a slight guess from spending 5 minutes grepping and reading).
>
> Yeah, that looks correct, given the way how the other variables
> emitted with the same "print" like $descr and $owner are formed.
It looks like good solution to me too.
Nb. the problems with feed are mainly because it is generated
by hand even more than HTML (which uses CGI.pm).
--
Jakub Narębski
--
Jakub Narebski
next prev parent reply other threads:[~2012-11-12 21:14 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-11 23:28 [BUG] gitweb: XSS vulnerability of RSS feed glpk xypron
2012-11-12 18:55 ` Drew Northup
2012-11-12 20:24 ` Jeff King
2012-11-12 20:27 ` Jeff King
2012-11-12 20:36 ` Junio C Hamano
2012-11-12 21:13 ` Jakub Narębski [this message]
2012-11-12 21:34 ` Jeff King
2012-11-13 14:44 ` Drew Northup
2012-11-13 15:19 ` Jakub Narębski
2012-11-13 15:45 ` Kevin
2012-11-13 15:57 ` Jakub Narębski
2012-11-13 17:04 ` Jeff King
2012-11-13 17:22 ` Jakub Narębski
2012-11-12 23:09 ` Andreas Schwab
2012-11-13 8:31 ` Pyeron, Jason J CTR (US)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANQwDwdRTeaVS5cMic5gv9SP1A8Z1vruOsZBFfMDQDTZHBAtvQ@mail.gmail.com \
--to=jnareb@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=n1xim.email@gmail.com \
--cc=peff@peff.net \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).