From: Jeff King Date: Mon, 12 Nov 2012 21:34:28 +0000 (-0500) Subject: gitweb: escape html in rss title X-Git-Tag: v1.8.0.1~3^2 X-Git-Url: https://git.lorimer.id.au/gitweb.git/diff_plain/0f0ecf68b31303de7cb428554e27d433fe62180e?ds=inline;hp=--cc gitweb: escape html in rss title The title of an RSS feed is generated from many components, including the filename provided as a query parameter, but we failed to quote it. Besides showing the wrong output, this is a vector for XSS attacks. Signed-off-by: Jeff King --- 0f0ecf68b31303de7cb428554e27d433fe62180e diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 10ed9e51a5..a51a8babee 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -8055,6 +8055,7 @@ sub git_feed { $feed_type = 'history'; } $title .= " $feed_type"; + $title = esc_html($title); my $descr = git_get_project_description($project); if (defined $descr) { $descr = esc_html($descr); diff --git a/t/t9502-gitweb-standalone-parse-output.sh b/t/t9502-gitweb-standalone-parse-output.sh index 731e64c3ad..3a8e7d3f5a 100755 --- a/t/t9502-gitweb-standalone-parse-output.sh +++ b/t/t9502-gitweb-standalone-parse-output.sh @@ -185,5 +185,20 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' ' test_cmp expected actual ' +xss() { + echo >&2 "Checking $1..." && + gitweb_run "$1" && + if grep "$TAG" gitweb.body; then + echo >&2 "xss: $TAG should have been quoted in output" + return 1 + fi + return 0 +} + +test_expect_success 'xss checks' ' + TAG="" && + xss "a=rss&p=$TAG" && + xss "a=rss&p=foo.git&f=$TAG" +' test_done