Merge branch 'jk/maint-gitweb-xss' into maint
authorJunio C Hamano <gitster@pobox.com>
Mon, 26 Nov 2012 02:35:41 +0000 (18:35 -0800)
committerJunio C Hamano <gitster@pobox.com>
Mon, 26 Nov 2012 02:35:41 +0000 (18:35 -0800)
Fixes an XSS vulnerability in gitweb.

* jk/maint-gitweb-xss:
gitweb: escape html in rss title

gitweb/gitweb.perl
t/t9502-gitweb-standalone-parse-output.sh
index 10ed9e51a5880430f7f109ff83f950a768a7c530..a51a8babeee1ca5388d12a2ec8ba4b417c86e4a3 100755 (executable)
@@ -8055,6 +8055,7 @@ sub git_feed {
                $feed_type = 'history';
        }
        $title .= " $feed_type";
+       $title = esc_html($title);
        my $descr = git_get_project_description($project);
        if (defined $descr) {
                $descr = esc_html($descr);
index 731e64c3adbd4d887bfa2c96eb060aa890377cfc..3a8e7d3f5aa1dc6a4d13467babd96a293ee1bb6e 100755 (executable)
@@ -185,5 +185,20 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' '
        test_cmp expected actual
 '
 
+xss() {
+       echo >&2 "Checking $1..." &&
+       gitweb_run "$1" &&
+       if grep "$TAG" gitweb.body; then
+               echo >&2 "xss: $TAG should have been quoted in output"
+               return 1
+       fi
+       return 0
+}
+
+test_expect_success 'xss checks' '
+       TAG="<magic-xss-tag>" &&
+       xss "a=rss&p=$TAG" &&
+       xss "a=rss&p=foo.git&f=$TAG"
+'
 
 test_done