Re: [PATCH 0/4] gitweb: quote base url more consistently
To
Jeff King
Cc
git@vger.kernel.org
NAKAYAMA DAISUKE
From
Junio C Hamano
See Also
Prev
Date
2019-11-18 01:45:46 UTC
Jeff King <peff@peff.net> writes:

> This series fixes an XSS issue reported to the git-security list where
> gitweb doesn't always quote its base url, meaning a specially-crafted
> URL can inject HTML into the finished page. Given the relatively low
> severity of the problem and my lack of familiarity with gitweb, it makes
> sense to me to just discuss this one in the open.
>
> Credit for the finding the problem (and some patient explanations) goes
> to NAKAYAMA DAISUKE <nakyamad@icloud.com>.
>
>   [1/4]: t9502: pass along all arguments in xss helper
>   [2/4]: t/gitweb-lib.sh: drop confusing quotes
>   [3/4]: t/gitweb-lib.sh: set $REQUEST_URI
>   [4/4]: gitweb: escape URLs generated by href()
>
>  gitweb/gitweb.perl                        | 31 +++++++++++++----------
>  t/gitweb-lib.sh                           |  7 ++---
>  t/t9502-gitweb-standalone-parse-output.sh |  7 ++---
>  3 files changed, 25 insertions(+), 20 deletions(-)
>
> -Peff


Thanks, will queue.