oss-sec mailing list archives
Re: Re: XSS security issue in gitweb for 'blob_plain' view with HTML files
From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Tue, 14 Jun 2011 14:46:40 +0200
Jakub Narebski wrote:
On Fri, 3 July 2011, Jakub Narebski wrote: [...]Proposed patch: --------------- Note that it includes unrelated fix for $prevent_xss feature. It would be split in separate patch (non-security related bugfix). With this patch above lol.xml would be served as text/plain... -- >8 -- diff --git i/gitweb/gitweb.perl w/gitweb/gitweb.perl index 240dd47..a3c03f3 100755 --- i/gitweb/gitweb.perl +++ w/gitweb/gitweb.perl @@ -3595,7 +3595,7 @@ sub blob_mimetype { my $fd = shift; my $filename = shift; - if ($filename) { + if ($filename && !$prevent_xss) { my $mime = mimetype_guess($filename); $mime and return $mime; }So I think the above is not necessary; it is enough to enable XSS prevention by adding our $prevent_xss = 1; in gitweb configuration file.
What about making that the default? For convenience it may make sense to s!text/.*!text/plain! and allow to display that inline. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Current thread:
- Security issue in gitweb Jamie Strandboge (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files dave b (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 04)
- Re: Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Ludwig Nussel (Jun 14)
- Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 14)
- Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files Ludwig Nussel (Jun 14)
- [CVE-2011-2186] [PATCH] gitweb: Enable $prevent_xss by default Jakub Narebski (Jun 14)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 03)