oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: XSS security issue in gitweb for 'blob_plain' view with HTML files

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Tue, 14 Jun 2011 14:46:40 +0200
Jakub Narebski wrote:

On Fri, 3 July 2011, Jakub Narebski wrote:
[...]

Proposed patch:
---------------
Note that it includes unrelated fix for $prevent_xss feature.  It would
be split in separate patch (non-security related bugfix).

With this patch above lol.xml would be served as text/plain...

-- >8 --
diff --git i/gitweb/gitweb.perl w/gitweb/gitweb.perl
index 240dd47..a3c03f3 100755
--- i/gitweb/gitweb.perl
+++ w/gitweb/gitweb.perl
@@ -3595,7 +3595,7 @@ sub blob_mimetype {
    my $fd = shift;
    my $filename = shift;
 
-   if ($filename) {
+   if ($filename && !$prevent_xss) {
            my $mime = mimetype_guess($filename);
            $mime and return $mime;
    }


So I think the above is not necessary; it is enough to enable XSS
prevention by adding

  our $prevent_xss = 1;

in gitweb configuration file.


What about making that the default?
For convenience it may make sense to s!text/.*!text/plain! and allow
to display that inline.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)
Previous By Date Next
Previous By Thread Next

Current thread: