oss-sec mailing list archives
Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Tue, 14 Jun 2011 15:38:58 +0200
Jakub Narebski wrote:
On Tue, 14 June 2011, Ludwig Nussel wrote:Jakub Narebski wrote:[...] it is enough to enable XSS prevention by adding our $prevent_xss = 1; in gitweb configuration file.What about making that the default?I'll come up with a patch... though I am not sure if it shouldn't be done by distributions, which usually ship their own system-wide gitweb config file.
We don't have a system wide config at least. It's just the defaults in the script.
Note that with $prevent_xss enabled gitweb is a bit poorer in features: no support for $GIT_DIR/README.html, no using gitweb as deploy platform. XSS threat level for gitweb isn't high, I think - there is nothing to steal.
You never know. Better safe than sorry :-)
For convenience it may make sense to s!text/.*!text/plain! and allow to display that inline.Already done in [PATCH] gitweb: Make $prevent_xss protection for 'blob_plain' more usable http://article.gmane.org/gmane.comp.version-control.git/175604 http://thread.gmane.org/gmane.comp.version-control.git/175057/focus=175604 It is in git repository as fb76adb (gitweb: Make $prevent_xss protection for 'blob_plain' more usable, 2011-06-10) currently in 'pu' (proposed updates) patch.
Ah, nice :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Current thread:
- Security issue in gitweb Jamie Strandboge (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files dave b (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 04)
- Re: Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Ludwig Nussel (Jun 14)
- Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 14)
- Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files Ludwig Nussel (Jun 14)
- [CVE-2011-2186] [PATCH] gitweb: Enable $prevent_xss by default Jakub Narebski (Jun 14)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 03)