[PATCH 0/4] gitweb: quote base url more consistently
To
git@vger.kernel.org
Cc
NAKAYAMA DAISUKE
From
Jeff King
Date
2019-11-15 09:05:45 UTC
This series fixes an XSS issue reported to the git-security list where
gitweb doesn't always quote its base url, meaning a specially-crafted
URL can inject HTML into the finished page. Given the relatively low
severity of the problem and my lack of familiarity with gitweb, it makes
sense to me to just discuss this one in the open.

Credit for the finding the problem (and some patient explanations) goes
to NAKAYAMA DAISUKE <nakyamad@icloud.com>.

  [1/4]: t9502: pass along all arguments in xss helper
  [2/4]: t/gitweb-lib.sh: drop confusing quotes
  [3/4]: t/gitweb-lib.sh: set $REQUEST_URI
  [4/4]: gitweb: escape URLs generated by href()

 gitweb/gitweb.perl                        | 31 +++++++++++++----------
 t/gitweb-lib.sh                           |  7 ++---
 t/t9502-gitweb-standalone-parse-output.sh |  7 ++---
 3 files changed, 25 insertions(+), 20 deletions(-)

-Peff