Date: Tue, 14 Jun 2011 15:38:58 +0200 From: Ludwig Nussel <ludwig.nussel@...e.de> To: Jakub Narebski <jnareb@...il.com> Cc: oss-security@...ts.openwall.com, dave b <db.pub.mail@...il.com>, Jamie Strandboge <jamie@...onical.com>, Junio C Hamano <gitster@...ox.com> Subject: Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski wrote: > On Tue, 14 June 2011, Ludwig Nussel wrote: > > Jakub Narebski wrote: > > > > [...] it is enough to enable XSS prevention by adding > > > > > > our $prevent_xss = 1; > > > > > > in gitweb configuration file. > > > > What about making that the default? > > I'll come up with a patch... though I am not sure if it shouldn't be > done by distributions, which usually ship their own system-wide > gitweb config file. We don't have a system wide config at least. It's just the defaults in the script. > Note that with $prevent_xss enabled gitweb is a bit poorer in features: > no support for $GIT_DIR/README.html, no using gitweb as deploy platform. > XSS threat level for gitweb isn't high, I think - there is nothing to > steal. You never know. Better safe than sorry :-) > > For convenience it may make sense to s!text/.*!text/plain! and allow > > to display that inline. > > Already done in > > [PATCH] gitweb: Make $prevent_xss protection for 'blob_plain' more usable > http://article.gmane.org/gmane.comp.version-control.git/175604 > http://thread.gmane.org/gmane.comp.version-control.git/175057/focus=175604 > > It is in git repository as > > fb76adb (gitweb: Make $prevent_xss protection for 'blob_plain' more usable, 2011-06-10) > > currently in 'pu' (proposed updates) patch. Ah, nice :-) cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ