Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 14 Jun 2011 16:24:52 +0200
From: Jakub Narebski <jnareb@...il.com>
To: Ludwig Nussel <ludwig.nussel@...e.de>
Cc: oss-security@...ts.openwall.com,
 dave b <db.pub.mail@...il.com>,
 Jamie Strandboge <jamie@...onical.com>,
 Junio C Hamano <gitster@...ox.com>
Subject: [CVE-2011-2186] [PATCH] gitweb: Enable $prevent_xss by default

On Tue, 14 June 2011, Jakub Narebski wrote:
> On Tue, 14 June 2011, Ludwig Nussel wrote:
> > Jakub Narebski wrote:
> 
> > > [...] it is enough to enable XSS prevention by adding
> > > 
> > >   our $prevent_xss = 1;
> > > 
> > > in gitweb configuration file.
> > 
> > What about making that the default?
> 
> I'll come up with a patch...

And here it is (though I am not sure if it is the correct form
of including attributions / acknowledgements):

Based on 'maint', applies to 'master'.
-- >8 --
From: Jakub Narebski <jnareb@...il.com>
Subject: [PATCH] gitweb: Enable $prevent_xss by default

This fixes issue CVE-2011-2186 originally reported in
https://launchpad.net/bugs/777804

Reported-by: dave b <db.pub.mail@...il.com>
Signed-off-by: Jakub Narebski <jnareb@...il.com>
---
 git-instaweb.sh    |    4 ++++
 gitweb/README      |    5 +++--
 gitweb/gitweb.perl |    2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/git-instaweb.sh b/git-instaweb.sh
index 8bfa8a0..e541164 100755
--- a/git-instaweb.sh
+++ b/git-instaweb.sh
@@ -583,6 +583,10 @@ our \$projectroot = "$(dirname "$fqgitdir")";
 our \$git_temp = "$fqgitdir/gitweb/tmp";
 our \$projects_list = \$projectroot;
 
+# we can trust our own repository, so disable XSS prevention
+# to enable some extra features
+our \$prevent_xss = 0;
+
 \$feature{'remote_heads'}{'default'} = [1];
 EOF
 }
diff --git a/gitweb/README b/gitweb/README
index a92bde7..9ae5d84 100644
--- a/gitweb/README
+++ b/gitweb/README
@@ -236,8 +236,9 @@ not include variables usually directly set during build):
  * $prevent_xss
    If true, some gitweb features are disabled to prevent content in
    repositories from launching cross-site scripting (XSS) attacks.  Set this
-   to true if you don't trust the content of your repositories. The default
-   is false.
+   to false if you trust the content of your repositories, and want to use
+   per-repository README.html, or use gitweb as deployment platform
+   via 'blob_plain' view and path_info links. The default is true.
  * $maxload
    Used to set the maximum load that we will still respond to gitweb queries.
    If server load exceed this value then return "503 Service Unavailable" error.
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index f8db40a..0351338 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -162,7 +162,7 @@ our @diff_opts = ('-M'); # taken from git_commit
 
 # Disables features that would allow repository owners to inject script into
 # the gitweb domain.
-our $prevent_xss = 0;
+our $prevent_xss = 1;
 
 # Path to the highlight executable to use (must be the one from
 # http://www.andre-simon.de due to assumptions about parameters and output).
-- 
1.7.5

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.