Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Jun 2011 15:14:24 +0200
From: Jakub Narebski <jnareb@...il.com>
To: Ludwig Nussel <ludwig.nussel@...e.de>
Cc: oss-security@...ts.openwall.com,
 dave b <db.pub.mail@...il.com>,
 Jamie Strandboge <jamie@...onical.com>,
 Junio C Hamano <gitster@...ox.com>
Subject: Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files

On Tue, 14 June 2011, Ludwig Nussel wrote:
> Jakub Narebski wrote:

> > [...] it is enough to enable XSS prevention by adding
> > 
> >   our $prevent_xss = 1;
> > 
> > in gitweb configuration file.
> 
> What about making that the default?

I'll come up with a patch... though I am not sure if it shouldn't be
done by distributions, which usually ship their own system-wide
gitweb config file.

Note that with $prevent_xss enabled gitweb is a bit poorer in features:
no support for $GIT_DIR/README.html, no using gitweb as deploy platform.
XSS threat level for gitweb isn't high, I think - there is nothing to
steal.

> For convenience it may make sense to s!text/.*!text/plain! and allow
> to display that inline.

Already done in

  [PATCH] gitweb: Make $prevent_xss protection for 'blob_plain' more usable
  http://article.gmane.org/gmane.comp.version-control.git/175604
  http://thread.gmane.org/gmane.comp.version-control.git/175057/focus=175604

It is in git repository as

  fb76adb (gitweb: Make $prevent_xss protection for 'blob_plain' more usable, 2011-06-10)

currently in 'pu' (proposed updates) patch.
-- 
Jakub Narebski
Poland

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ