kernel
/
git
mirror of https://git.kernel.org/pub/scm/git/git.git
1
0
Fork 0
Code Releases Activity

Merge branch 'jk/gitweb-anti-xss' 

Some codepaths in "gitweb" that forgot to escape URLs generated
based on end-user input have been corrected.

* jk/gitweb-anti-xss:
  gitweb: escape URLs generated by href()
  t/gitweb-lib.sh: set $REQUEST_URI
  t/gitweb-lib.sh: drop confusing quotes
  t9502: pass along all arguments in xss helper
maint
Junio C Hamano 2019-12-01 09:04:41 -08:00
parent 3288d99c92 a376e37b2c
commit 6c630f237e
3 changed files with 25 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
gitweb/gitweb.perl
View File

@ -4048,7 +4048,7 @@ sub print_feed_meta {


$href_params{'extra_options'} = undef; $href_params{'extra_options'} = undef;
$href_params{'action'} = $type; $href_params{'action'} = $type;
$link_attr{'-href'} = href(%href_params); $link_attr{'-href'} = esc_attr(href(%href_params));
print "<link ". print "<link ".
"rel=\"$link_attr{'-rel'}\" ". "rel=\"$link_attr{'-rel'}\" ".
"title=\"$link_attr{'-title'}\" ". "title=\"$link_attr{'-title'}\" ".
@ -4057,7 +4057,7 @@ sub print_feed_meta {
"/>\n"; "/>\n";


$href_params{'extra_options'} = '--no-merges'; $href_params{'extra_options'} = '--no-merges';
$link_attr{'-href'} = href(%href_params); $link_attr{'-href'} = esc_attr(href(%href_params));
$link_attr{'-title'} .= ' (no merges)'; $link_attr{'-title'} .= ' (no merges)';
print "<link ". print "<link ".
"rel=\"$link_attr{'-rel'}\" ". "rel=\"$link_attr{'-rel'}\" ".
@ -4070,10 +4070,12 @@ sub print_feed_meta {
} else { } else {
printf('<link rel="alternate" title="%s projects list" '. printf('<link rel="alternate" title="%s projects list" '.
'href="%s" type="text/plain; charset=utf-8" />'."\n", 'href="%s" type="text/plain; charset=utf-8" />'."\n",
esc_attr($site_name), href(project=>undef, action=>"project_index")); esc_attr($site_name),
esc_attr(href(project=>undef, action=>"project_index")));
printf('<link rel="alternate" title="%s projects feeds" '. printf('<link rel="alternate" title="%s projects feeds" '.
'href="%s" type="text/x-opml" />'."\n", 'href="%s" type="text/x-opml" />'."\n",
esc_attr($site_name), href(project=>undef, action=>"opml")); esc_attr($site_name),
esc_attr(href(project=>undef, action=>"opml")));
} }
} }


@ -4287,8 +4289,8 @@ sub git_footer_html {
if (defined $action && if (defined $action &&
$action eq 'blame_incremental') { $action eq 'blame_incremental') {
print qq!<script type="text/javascript">\n!. print qq!<script type="text/javascript">\n!.
qq!startBlame("!. href(action=>"blame_data", -replay=>1) .qq!",\n!. qq!startBlame("!. esc_attr(href(action=>"blame_data", -replay=>1)) .qq!",\n!.
qq! "!. href() .qq!");\n!. qq! "!. esc_attr(href()) .qq!");\n!.
qq!</script>\n!; qq!</script>\n!;
} else { } else {
my ($jstimezone, $tz_cookie, $datetime_class) = my ($jstimezone, $tz_cookie, $datetime_class) =
@ -7155,8 +7157,8 @@ sub git_blob {
print qq! alt="!.esc_attr($file_name).qq!" title="!.esc_attr($file_name).qq!"!; print qq! alt="!.esc_attr($file_name).qq!" title="!.esc_attr($file_name).qq!"!;
} }
print qq! src="! . print qq! src="! .
href(action=>"blob_plain", hash=>$hash, esc_attr(href(action=>"blob_plain", hash=>$hash,
hash_base=>$hash_base, file_name=>$file_name) . hash_base=>$hash_base, file_name=>$file_name)) .
qq!" />\n!; qq!" />\n!;
} else { } else {
my $nr; my $nr;
@ -8239,6 +8241,7 @@ sub git_feed {
} else { } else {
$alt_url = href(-full=>1, action=>"summary"); $alt_url = href(-full=>1, action=>"summary");
} }
$alt_url = esc_attr($alt_url);
print qq!<?xml version="1.0" encoding="utf-8"?>\n!; print qq!<?xml version="1.0" encoding="utf-8"?>\n!;
if ($format eq 'rss') { if ($format eq 'rss') {
print <<XML; print <<XML;
@ -8276,7 +8279,7 @@ XML
$alt_url . '" />' . "\n" . $alt_url . '" />' . "\n" .
'<link rel="self" type="' . $content_type . '" href="' . '<link rel="self" type="' . $content_type . '" href="' .
$cgi->self_url() . '" />' . "\n" . $cgi->self_url() . '" />' . "\n" .
"<id>" . href(-full=>1) . "</id>\n" . "<id>" . esc_url(href(-full=>1)) . "</id>\n" .
# use project owner for feed author # use project owner for feed author
"<author><name>$owner</name></author>\n"; "<author><name>$owner</name></author>\n";
if (defined $favicon) { if (defined $favicon) {
@ -8322,7 +8325,7 @@ XML
"<author>" . esc_html($co{'author'}) . "</author>\n" . "<author>" . esc_html($co{'author'}) . "</author>\n" .
"<pubDate>$cd{'rfc2822'}</pubDate>\n" . "<pubDate>$cd{'rfc2822'}</pubDate>\n" .
"<guid isPermaLink=\"true\">$co_url</guid>\n" . "<guid isPermaLink=\"true\">$co_url</guid>\n" .
"<link>$co_url</link>\n" . "<link>" . esc_html($co_url) . "</link>\n" .
"<description>" . esc_html($co{'title'}) . "</description>\n" . "<description>" . esc_html($co{'title'}) . "</description>\n" .
"<content:encoded>" . "<content:encoded>" .
"<![CDATA[\n"; "<![CDATA[\n";
@ -8344,8 +8347,8 @@ XML
} }
print "</contributor>\n" . print "</contributor>\n" .
"<published>$cd{'iso-8601'}</published>\n" . "<published>$cd{'iso-8601'}</published>\n" .
"<link rel=\"alternate\" type=\"text/html\" href=\"$co_url\" />\n" . "<link rel=\"alternate\" type=\"text/html\" href=\"" . esc_attr($co_url) . "\" />\n" .
"<id>$co_url</id>\n" . "<id>" . esc_html($co_url) . "</id>\n" .
"<content type=\"xhtml\" xml:base=\"" . esc_url($my_url) . "\">\n" . "<content type=\"xhtml\" xml:base=\"" . esc_url($my_url) . "\">\n" .
"<div xmlns=\"http://www.w3.org/1999/xhtml\">\n"; "<div xmlns=\"http://www.w3.org/1999/xhtml\">\n";
} }
@ -8452,8 +8455,8 @@ XML
} }


my $path = esc_html(chop_str($proj{'path'}, 25, 5)); my $path = esc_html(chop_str($proj{'path'}, 25, 5));
my $rss = href('project' => $proj{'path'}, 'action' => 'rss', -full => 1); my $rss = esc_attr(href('project' => $proj{'path'}, 'action' => 'rss', -full => 1));
my $html = href('project' => $proj{'path'}, 'action' => 'summary', -full => 1); my $html = esc_attr(href('project' => $proj{'path'}, 'action' => 'summary', -full => 1));
print "<outline type=\"rss\" text=\"$path\" title=\"$path\" xmlUrl=\"$rss\" htmlUrl=\"$html\"/>\n"; print "<outline type=\"rss\" text=\"$path\" title=\"$path\" xmlUrl=\"$rss\" htmlUrl=\"$html\"/>\n";
} }
print <<XML; print <<XML;

7
t/gitweb-lib.sh
View File

@ -58,10 +58,11 @@ gitweb_run () {
GATEWAY_INTERFACE='CGI/1.1' GATEWAY_INTERFACE='CGI/1.1'
HTTP_ACCEPT='*/*' HTTP_ACCEPT='*/*'
REQUEST_METHOD='GET' REQUEST_METHOD='GET'
QUERY_STRING=""$1"" QUERY_STRING=$1
PATH_INFO=""$2"" PATH_INFO=$2
REQUEST_URI=/gitweb.cgi$PATH_INFO
export GATEWAY_INTERFACE HTTP_ACCEPT REQUEST_METHOD \ export GATEWAY_INTERFACE HTTP_ACCEPT REQUEST_METHOD \
QUERY_STRING PATH_INFO QUERY_STRING PATH_INFO REQUEST_URI


GITWEB_CONFIG=$(pwd)/gitweb_config.perl GITWEB_CONFIG=$(pwd)/gitweb_config.perl
export GITWEB_CONFIG export GITWEB_CONFIG

7
t/t9502-gitweb-standalone-parse-output.sh
View File

@ -188,8 +188,8 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' '
' '


xss() { xss() {
echo >&2 "Checking $1..." && echo >&2 "Checking $*..." &&
gitweb_run "$1" && gitweb_run "$@" &&
if grep "$TAG" gitweb.body; then if grep "$TAG" gitweb.body; then
echo >&2 "xss: $TAG should have been quoted in output" echo >&2 "xss: $TAG should have been quoted in output"
return 1 return 1
@ -200,7 +200,8 @@ xss() {
test_expect_success 'xss checks' ' test_expect_success 'xss checks' '
TAG="<magic-xss-tag>" && TAG="<magic-xss-tag>" &&
xss "a=rss&p=$TAG" && xss "a=rss&p=$TAG" &&
xss "a=rss&p=foo.git&f=$TAG" xss "a=rss&p=foo.git&f=$TAG" &&
xss "" "$TAG+"
' '


test_done test_done