Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jun 2011 15:38:58 +0200
From: Ludwig Nussel <ludwig.nussel@...e.de>
To: Jakub Narebski <jnareb@...il.com>
Cc: oss-security@...ts.openwall.com, dave b <db.pub.mail@...il.com>,
	Jamie Strandboge <jamie@...onical.com>,
	Junio C Hamano <gitster@...ox.com>
Subject: Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files

Jakub Narebski wrote:
> On Tue, 14 June 2011, Ludwig Nussel wrote:
> > Jakub Narebski wrote:
> 
> > > [...] it is enough to enable XSS prevention by adding
> > > 
> > >   our $prevent_xss = 1;
> > > 
> > > in gitweb configuration file.
> > 
> > What about making that the default?
> 
> I'll come up with a patch... though I am not sure if it shouldn't be
> done by distributions, which usually ship their own system-wide
> gitweb config file.

We don't have a system wide config at least. It's just the defaults
in the script.

> Note that with $prevent_xss enabled gitweb is a bit poorer in features:
> no support for $GIT_DIR/README.html, no using gitweb as deploy platform.
> XSS threat level for gitweb isn't high, I think - there is nothing to
> steal.

You never know. Better safe than sorry :-)

> > For convenience it may make sense to s!text/.*!text/plain! and allow
> > to display that inline.
> 
> Already done in
> 
>   [PATCH] gitweb: Make $prevent_xss protection for 'blob_plain' more usable
>   http://article.gmane.org/gmane.comp.version-control.git/175604
>   http://thread.gmane.org/gmane.comp.version-control.git/175057/focus=175604
> 
> It is in git repository as
> 
>   fb76adb (gitweb: Make $prevent_xss protection for 'blob_plain' more usable, 2011-06-10)
> 
> currently in 'pu' (proposed updates) patch.

Ah, nice :-)

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imend├Ârffer, HRB 16746 (AG N├╝rnberg) 

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ