Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Jun 2011 16:24:52 +0200
From: Jakub Narebski <jnareb@...il.com>
To: Ludwig Nussel <ludwig.nussel@...e.de>
Cc: oss-security@...ts.openwall.com,
 dave b <db.pub.mail@...il.com>,
 Jamie Strandboge <jamie@...onical.com>,
 Junio C Hamano <gitster@...ox.com>
Subject: [CVE-2011-2186] [PATCH] gitweb: Enable $prevent_xss by default

On Tue, 14 June 2011, Jakub Narebski wrote:
> On Tue, 14 June 2011, Ludwig Nussel wrote:
> > Jakub Narebski wrote:
> 
> > > [...] it is enough to enable XSS prevention by adding
> > > 
> > >   our $prevent_xss = 1;
> > > 
> > > in gitweb configuration file.
> > 
> > What about making that the default?
> 
> I'll come up with a patch...

And here it is (though I am not sure if it is the correct form
of including attributions / acknowledgements):

Based on 'maint', applies to 'master'.
-- >8 --
From: Jakub Narebski <jnareb@...il.com>
Subject: [PATCH] gitweb: Enable $prevent_xss by default

This fixes issue CVE-2011-2186 originally reported in
https://launchpad.net/bugs/777804

Reported-by: dave b <db.pub.mail@...il.com>
Signed-off-by: Jakub Narebski <jnareb@...il.com>
---
 git-instaweb.sh    |    4 ++++
 gitweb/README      |    5 +++--
 gitweb/gitweb.perl |    2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/git-instaweb.sh b/git-instaweb.sh
index 8bfa8a0..e541164 100755
--- a/git-instaweb.sh
+++ b/git-instaweb.sh
@@ -583,6 +583,10 @@ our \$projectroot = "$(dirname "$fqgitdir")";
 our \$git_temp = "$fqgitdir/gitweb/tmp";
 our \$projects_list = \$projectroot;
 
+# we can trust our own repository, so disable XSS prevention
+# to enable some extra features
+our \$prevent_xss = 0;
+
 \$feature{'remote_heads'}{'default'} = [1];
 EOF
 }
diff --git a/gitweb/README b/gitweb/README
index a92bde7..9ae5d84 100644
--- a/gitweb/README
+++ b/gitweb/README
@@ -236,8 +236,9 @@ not include variables usually directly set during build):
  * $prevent_xss
    If true, some gitweb features are disabled to prevent content in
    repositories from launching cross-site scripting (XSS) attacks.  Set this
-   to true if you don't trust the content of your repositories. The default
-   is false.
+   to false if you trust the content of your repositories, and want to use
+   per-repository README.html, or use gitweb as deployment platform
+   via 'blob_plain' view and path_info links. The default is true.
  * $maxload
    Used to set the maximum load that we will still respond to gitweb queries.
    If server load exceed this value then return "503 Service Unavailable" error.
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index f8db40a..0351338 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -162,7 +162,7 @@ our @diff_opts = ('-M'); # taken from git_commit
 
 # Disables features that would allow repository owners to inject script into
 # the gitweb domain.
-our $prevent_xss = 0;
+our $prevent_xss = 1;
 
 # Path to the highlight executable to use (must be the one from
 # http://www.andre-simon.de due to assumptions about parameters and output).
-- 
1.7.5

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ