Merge branch 'maint'

* maint: gitweb: add $prevent_xss option to prevent XSS by repository content rev-list: fix showing distance when using --bisect-all
16 years ago · df487baa30
3 changed files with 28 additions and 3 deletions
--- a/builtin-rev-list.c
+++ b/builtin-rev-list.c
@ -608,6 +608,7 @@ int cmd_rev_list(int argc, const char **argv, const char *prefix)
				@@ -608,6 +608,7 @@ int cmd_rev_list(int argc, const char **argv, const char *prefix)
 		if (!strcmp(arg, "--bisect-all")) {
 			bisect_list = 1;
 			bisect_find_all = 1;
+			revs.show_decorations = 1;
 			continue;
 		}
 		if (!strcmp(arg, "--bisect-vars")) {
--- a/gitweb/README
+++ b/gitweb/README
@ -212,6 +212,11 @@ not include variables usually directly set during build):
				@@ -212,6 +212,11 @@ not include variables usually directly set during build):
   Rename detection options for git-diff and git-diff-tree. By default
   ('-M'); set it to ('-C') or ('-C', '-C') to also detect copies, or
   set it to () if you don't want to have renames detection.
+ * $prevent_xss
+   If true, some gitweb features are disabled to prevent content in
+   repositories from launching cross-site scripting (XSS) attacks.  Set this
+   to true if you don't trust the content of your repositories. The default
+   is false.


 Projects list file format
@ -258,7 +263,9 @@ You can use the following files in repository:
				@@ -258,7 +263,9 @@ You can use the following files in repository:
   A .html file (HTML fragment) which is included on the gitweb project
   summary page inside <div> block element. You can use it for longer
   description of a project, to provide links (for example to project's
-   homepage), etc.
+   homepage), etc. This is recognized only if XSS prevention is off
+   ($prevent_xss is false); a way to include a readme safely when XSS
+   prevention is on may be worked out in the future.
 * description (or gitweb.description)
   Short (shortened by default to 25 characters in the projects list page)
   single line description of a project (of a repository). Plain text file;
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@ -132,6 +132,10 @@ our $fallback_encoding = 'latin1';
				@@ -132,6 +132,10 @@ our $fallback_encoding = 'latin1';
 # - one might want to include '-B' option, e.g. '-B', '-M'
 our @diff_opts = ('-M'); # taken from git_commit

+# Disables features that would allow repository owners to inject script into
+# the gitweb domain.
+our $prevent_xss = 0;
+
 # information about snapshot formats that gitweb is capable of serving
 our %known_snapshot_formats = (
 	# name => {
@ -4503,7 +4507,9 @@ sub git_summary {
				@@ -4503,7 +4507,9 @@ sub git_summary {

 	print "</table>\n";

-	if (-s "$projectroot/$project/README.html") {
+	# If XSS prevention is on, we don't include README.html.
+	# TODO: Allow a readme in some safe format.
+	if (!$prevent_xss && -s "$projectroot/$project/README.html") {
 		print "<div class=\"title\">readme</div>\n" .
 		      "<div class=\"readme\">\n";
 		insert_file("$projectroot/$project/README.html");
@ -4764,10 +4770,21 @@ sub git_blob_plain {
				@@ -4764,10 +4770,21 @@ sub git_blob_plain {
 		$save_as .= '.txt';
 	}

+	# With XSS prevention on, blobs of all types except a few known safe
+	# ones are served with "Content-Disposition: attachment" to make sure
+	# they don't run in our security domain.  For certain image types,
+	# blob view writes an <img> tag referring to blob_plain view, and we
+	# want to be sure not to break that by serving the image as an
+	# attachment (though Firefox 3 doesn't seem to care).
+	my $sandbox = $prevent_xss &&
+		$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
+
 	print $cgi->header(
 		-type => $type,
 		-expires => $expires,
-		-content_disposition => 'inline; filename="' . $save_as . '"');
+		-content_disposition =>
+			($sandbox ? 'attachment' : 'inline')
+			. '; filename="' . $save_as . '"');
 	undef $/;
 	binmode STDOUT, ':raw';
 	print <$fd>;