[0/4] gitweb: quote base url more consistently

Message ID	20191115090545.GA30971@sigill.intra.peff.net (mailing list archive)
Headers	show Return-Path: <SRS0=V4lN=ZH=vger.kernel.org=git-owner@kernel.org> Date: Fri, 15 Nov 2019 04:05:45 -0500 From: Jeff King <peff@peff.net> To: git@vger.kernel.org Cc: NAKAYAMA DAISUKE <nakyamad@icloud.com> Subject: [PATCH 0/4] gitweb: quote base url more consistently Message-ID: <20191115090545.GA30971@sigill.intra.peff.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Sender: git-owner@vger.kernel.org Precedence: bulk
Series	gitweb: quote base url more consistently \| expand [0/4] gitweb: quote base url more consistently [1/4] t9502: pass along all arguments in xss helper [2/4] t/gitweb-lib.sh: drop confusing quotes [3/4] t/gitweb-lib.sh: set $REQUEST_URI [4/4] gitweb: escape URLs generated by href()

Message ID

20191115090545.GA30971@sigill.intra.peff.net (mailing list archive)

Headers

Date: Fri, 15 Nov 2019 04:05:45 -0500
From: Jeff King <peff@peff.net>
To: git@vger.kernel.org
Cc: NAKAYAMA DAISUKE <nakyamad@icloud.com>
Subject: [PATCH 0/4] gitweb: quote base url more consistently
Message-ID: <20191115090545.GA30971@sigill.intra.peff.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Sender: git-owner@vger.kernel.org
Precedence: bulk

Series

gitweb: quote base url more consistently | expand

Message

Jeff King Nov. 15, 2019, 9:05 a.m. UTC

This series fixes an XSS issue reported to the git-security list where
gitweb doesn't always quote its base url, meaning a specially-crafted
URL can inject HTML into the finished page. Given the relatively low
severity of the problem and my lack of familiarity with gitweb, it makes
sense to me to just discuss this one in the open.

Credit for the finding the problem (and some patient explanations) goes
to NAKAYAMA DAISUKE <nakyamad@icloud.com>.

  [1/4]: t9502: pass along all arguments in xss helper
  [2/4]: t/gitweb-lib.sh: drop confusing quotes
  [3/4]: t/gitweb-lib.sh: set $REQUEST_URI
  [4/4]: gitweb: escape URLs generated by href()

 gitweb/gitweb.perl                        | 31 +++++++++++++----------
 t/gitweb-lib.sh                           |  7 ++---
 t/t9502-gitweb-standalone-parse-output.sh |  7 ++---
 3 files changed, 25 insertions(+), 20 deletions(-)

-Peff

Comments

Junio C Hamano Nov. 18, 2019, 1:45 a.m. UTC | #1

Jeff King <peff@peff.net> writes:

> This series fixes an XSS issue reported to the git-security list where
> gitweb doesn't always quote its base url, meaning a specially-crafted
> URL can inject HTML into the finished page. Given the relatively low
> severity of the problem and my lack of familiarity with gitweb, it makes
> sense to me to just discuss this one in the open.
>
> Credit for the finding the problem (and some patient explanations) goes
> to NAKAYAMA DAISUKE <nakyamad@icloud.com>.
>
>   [1/4]: t9502: pass along all arguments in xss helper
>   [2/4]: t/gitweb-lib.sh: drop confusing quotes
>   [3/4]: t/gitweb-lib.sh: set $REQUEST_URI
>   [4/4]: gitweb: escape URLs generated by href()
>
>  gitweb/gitweb.perl                        | 31 +++++++++++++----------
>  t/gitweb-lib.sh                           |  7 ++---
>  t/t9502-gitweb-standalone-parse-output.sh |  7 ++---
>  3 files changed, 25 insertions(+), 20 deletions(-)
>
> -Peff


Thanks, will queue.