Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Jun 2011 19:01:28 +0200
From: Jakub Narebski <>
To: Jamie Strandboge <>
Cc: Junio C Hamano <>,,
 dave b <>
Subject: Re: XSS security issue in gitweb for 'blob_plain' view with HTML files

On Fri, 3 July 2011, Jamie Strandboge wrote:

> ----
> I am reporting a persistent xss vector in gitweb, note this requires a
> user to have commit access to a repository that gitweb is configured
> to display. The vector is the fact that gitweb "serves" up xml files -
> which can (just as gitweb does) embed html that could be used to
> perform a cross-site scripting attack.
> e.g. (lol.xml).
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> "">
> <html xmlns="" xml:lang="en-US" lang="en-US">
> <head>
> </head>
> <script>alert(1);</script>
> </html>
> and viewed at
> http://$HOSTNAME/$PATH_TO_GITWEB/?p=lolok;a=blob_plain;f=lol.xml
> ----
> Thanks in advance for your cooperation in coordinating a fix for this
> issue,

In short: This is a feature, not a bug.

Origin of current behavior:
The 'blob_plain' action (raw view) together with support for path_info
URLs were designed together so that gitweb could be used as a kind of
deploy platform.  For example you can browse git documentation from
'html' branch of git.git repository using gitweb, c.f.

Also, by default (and I think in most configurations) there isn't
anything worth stealing using cross-side scripting attack; there
is no login information, no cookies with sensitive information...

Proposal of solution:
Nevertheless gitweb include a germ of anti-XSS framework, namely
$prevent_xss gitweb configuration variable.

It is currently used to prevent displaying README.html from $GIT_DIR
of repository, but I think it can be reused for this situation (at
the cost of reduced feature set).  Namely if $prevent_xss is true,
we can simply serve all 'blob_plain' as either text/plain or 
application/octet-stream (with possible exception of *.jpg, *.gif
and *.png images).

Proposed patch:
Note that it includes unrelated fix for $prevent_xss feature.  It would
be split in separate patch (non-security related bugfix).

With this patch above lol.xml would be served as text/plain...

-- >8 --
diff --git i/gitweb/gitweb.perl w/gitweb/gitweb.perl
index 240dd47..a3c03f3 100755
--- i/gitweb/gitweb.perl
+++ w/gitweb/gitweb.perl
@@ -3595,7 +3595,7 @@ sub blob_mimetype {
 	my $fd = shift;
 	my $filename = shift;
-	if ($filename) {
+	if ($filename && !$prevent_xss) {
 		my $mime = mimetype_guess($filename);
 		$mime and return $mime;
@@ -6127,7 +6127,7 @@ sub git_blob_plain {
 	# want to be sure not to break that by serving the image as an
 	# attachment (though Firefox 3 doesn't seem to care).
 	my $sandbox = $prevent_xss &&
-		$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
+		$type !~ m!^(?:text/plain(?:; ?charset=.*)|image/(?:gif|png|jpeg))$!;
 	print $cgi->header(
 		-type => $type,
-- 8< --

Jakub Narebski

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.