oss-sec mailing list archives
[CVE-2011-2186] [PATCH] gitweb: Enable $prevent_xss by default
From: Jakub Narebski <jnareb () gmail com>
Date: Tue, 14 Jun 2011 16:24:52 +0200
On Tue, 14 June 2011, Jakub Narebski wrote:
On Tue, 14 June 2011, Ludwig Nussel wrote:Jakub Narebski wrote:[...] it is enough to enable XSS prevention by adding our $prevent_xss = 1; in gitweb configuration file.What about making that the default?I'll come up with a patch...
And here it is (though I am not sure if it is the correct form of including attributions / acknowledgements): Based on 'maint', applies to 'master'. -- >8 -- From: Jakub Narebski <jnareb () gmail com> Subject: [PATCH] gitweb: Enable $prevent_xss by default This fixes issue CVE-2011-2186 originally reported in https://launchpad.net/bugs/777804 Reported-by: dave b <db.pub.mail () gmail com> Signed-off-by: Jakub Narebski <jnareb () gmail com> --- git-instaweb.sh | 4 ++++ gitweb/README | 5 +++-- gitweb/gitweb.perl | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/git-instaweb.sh b/git-instaweb.sh index 8bfa8a0..e541164 100755 --- a/git-instaweb.sh +++ b/git-instaweb.sh @@ -583,6 +583,10 @@ our \$projectroot = "$(dirname "$fqgitdir")"; our \$git_temp = "$fqgitdir/gitweb/tmp"; our \$projects_list = \$projectroot; +# we can trust our own repository, so disable XSS prevention +# to enable some extra features +our \$prevent_xss = 0; + \$feature{'remote_heads'}{'default'} = [1]; EOF } diff --git a/gitweb/README b/gitweb/README index a92bde7..9ae5d84 100644 --- a/gitweb/README +++ b/gitweb/README @@ -236,8 +236,9 @@ not include variables usually directly set during build): * $prevent_xss If true, some gitweb features are disabled to prevent content in repositories from launching cross-site scripting (XSS) attacks. Set this - to true if you don't trust the content of your repositories. The default - is false. + to false if you trust the content of your repositories, and want to use + per-repository README.html, or use gitweb as deployment platform + via 'blob_plain' view and path_info links. The default is true. * $maxload Used to set the maximum load that we will still respond to gitweb queries. If server load exceed this value then return "503 Service Unavailable" error. diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index f8db40a..0351338 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -162,7 +162,7 @@ our @diff_opts = ('-M'); # taken from git_commit # Disables features that would allow repository owners to inject script into # the gitweb domain. -our $prevent_xss = 0; +our $prevent_xss = 1; # Path to the highlight executable to use (must be the one from # http://www.andre-simon.de due to assumptions about parameters and output). -- 1.7.5
Current thread:
- Security issue in gitweb Jamie Strandboge (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files dave b (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 04)
- Re: Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Ludwig Nussel (Jun 14)
- Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 14)
- Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files Ludwig Nussel (Jun 14)
- [CVE-2011-2186] [PATCH] gitweb: Enable $prevent_xss by default Jakub Narebski (Jun 14)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 03)