Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jun 2011 14:46:40 +0200
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: Jakub Narebski <jnareb@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: XSS security issue in gitweb for 'blob_plain' view with HTML files

Jakub Narebski wrote:
> On Fri, 3 July 2011, Jakub Narebski wrote:
> [...]
> > Proposed patch:
> > ---------------
> > Note that it includes unrelated fix for $prevent_xss feature.  It would
> > be split in separate patch (non-security related bugfix).
> > 
> > With this patch above lol.xml would be served as text/plain...
> > 
> > -- >8 --
> > diff --git i/gitweb/gitweb.perl w/gitweb/gitweb.perl
> > index 240dd47..a3c03f3 100755
> > --- i/gitweb/gitweb.perl
> > +++ w/gitweb/gitweb.perl
> > @@ -3595,7 +3595,7 @@ sub blob_mimetype {
> >  	my $fd = shift;
> >  	my $filename = shift;
> >  
> > -	if ($filename) {
> > +	if ($filename && !$prevent_xss) {
> >  		my $mime = mimetype_guess($filename);
> >  		$mime and return $mime;
> >  	}
> 
> So I think the above is not necessary; it is enough to enable XSS
> prevention by adding
> 
>   our $prevent_xss = 1;
> 
> in gitweb configuration file.

What about making that the default?
For convenience it may make sense to s!text/.*!text/plain! and allow
to display that inline.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ