From: Junio C Hamano <gitster@pobox.com>
Date: Wed, 15 Dec 2010 19:40:40 +0000 (-0800)
Subject: Git 1.7.1.4
X-Git-Tag: v1.7.1.4^0
X-Git-Url: https://git.lorimer.id.au/gitweb.git/diff_plain/9db41eba4259126dbe1c68e2207d342d11f14745?ds=inline;hp=-c

Git 1.7.1.4

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---

9db41eba4259126dbe1c68e2207d342d11f14745
diff --combined Documentation/RelNotes/1.7.1.4.txt
index 0000000000,0000000000..7c734b4f7b
new file mode 100644
--- /dev/null
+++ b/Documentation/RelNotes/1.7.1.4.txt
@@@ -1,0 -1,0 +1,8 @@@
++Git v1.7.1.4 Release Notes
++==========================
++
++Fixes since v1.7.1.3
++--------------------
++
++ * "gitweb" can sometimes be tricked into parrotting a filename argument
++   given in a request without properly quoting.
diff --combined GIT-VERSION-GEN
index 8eb10c2c1f,c07c5959bb..5e8077ebf4
--- a/GIT-VERSION-GEN
+++ b/GIT-VERSION-GEN
@@@ -1,7 -1,7 +1,7 @@@
  #!/bin/sh
  
  GVF=GIT-VERSION-FILE
- DEF_VER=v1.7.1.3
 -DEF_VER=v1.7.0.9
++DEF_VER=v1.7.1.4
  
  LF='
  '
@@@ -12,7 -12,7 +12,7 @@@ if test -f versio
  then
  	VN=$(cat version) || VN="$DEF_VER"
  elif test -d .git -o -f .git &&
 -	VN=$(git describe --abbrev=4 HEAD 2>/dev/null) &&
 +	VN=$(git describe --match "v[0-9]*" --abbrev=4 HEAD 2>/dev/null) &&
  	case "$VN" in
  	*$LF*) (exit 1) ;;
  	v[0-9]*)
diff --combined RelNotes
index d3921d81b8,2e4322a073..86af99bd37
--- a/RelNotes
+++ b/RelNotes
@@@ -1,1 -1,1 +1,1 @@@
- Documentation/RelNotes/1.7.1.3.txt
 -Documentation/RelNotes/1.7.0.9.txt
++Documentation/RelNotes/1.7.1.4.txt
diff --combined gitweb/gitweb.perl
index a97ce03444,f1d857961c..b51f5bfb2f
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@@ -1150,7 -1150,6 +1150,7 @@@ sub validate_refname 
  # in utf-8 thanks to "binmode STDOUT, ':utf8'" at beginning
  sub to_utf8 {
  	my $str = shift;
 +	return undef unless defined $str;
  	if (utf8::valid($str)) {
  		utf8::decode($str);
  		return $str;
@@@ -1163,7 -1162,6 +1163,7 @@@
  # correct, but quoted slashes look too horrible in bookmarks
  sub esc_param {
  	my $str = shift;
 +	return undef unless defined $str;
  	$str =~ s/([^A-Za-z0-9\-_.~()\/:@ ]+)/CGI::escape($1)/eg;
  	$str =~ s/ /\+/g;
  	return $str;
@@@ -1172,19 -1170,24 +1172,26 @@@
  # quote unsafe chars in whole URL, so some charactrs cannot be quoted
  sub esc_url {
  	my $str = shift;
 -	$str =~ s/([^A-Za-z0-9\-_.~();\/;?:@&=])/sprintf("%%%02X", ord($1))/eg;
 -	$str =~ s/\+/%2B/g;
 +	return undef unless defined $str;
 +	$str =~ s/([^A-Za-z0-9\-_.~();\/;?:@&= ]+)/CGI::escape($1)/eg;
  	$str =~ s/ /\+/g;
  	return $str;
  }
  
+ # quote unsafe characters in HTML attributes
+ sub esc_attr {
+ 
+ 	# for XHTML conformance escaping '"' to '&quot;' is not enough
+ 	return esc_html(@_);
+ }
+ 
  # replace invalid utf8 character with SUBSTITUTION sequence
  sub esc_html {
  	my $str = shift;
  	my %opts = @_;
  
 +	return undef unless defined $str;
 +
  	$str = to_utf8($str);
  	$str = $cgi->escapeHTML($str);
  	if ($opts{'-nbsp'}) {
@@@ -1199,8 -1202,6 +1206,8 @@@ sub esc_path 
  	my $str = shift;
  	my %opts = @_;
  
 +	return undef unless defined $str;
 +
  	$str = to_utf8($str);
  	$str = $cgi->escapeHTML($str);
  	if ($opts{'-nbsp'}) {
@@@ -1583,7 -1584,7 +1590,7 @@@ sub format_ref_marker 
  					hash=>$dest
  				)}, $name);
  
- 			$markers .= " <span class=\"$class\" title=\"$ref\">" .
+ 			$markers .= " <span class=\"".esc_attr($class)."\" title=\"".esc_attr($ref)."\">" .
  				$link . "</span>";
  		}
  	}
@@@ -1667,7 -1668,7 +1674,7 @@@ sub git_get_avatar 
  		return $pre_white .
  		       "<img width=\"$size\" " .
  		            "class=\"avatar\" " .
- 		            "src=\"$url\" " .
+ 		            "src=\"".esc_url($url)."\" " .
  			    "alt=\"\" " .
  		       "/>" . $post_white;
  	} else {
@@@ -2378,7 -2379,7 +2385,7 @@@ sub git_show_project_tagcloud 
  	} else {
  		my @tags = sort { $cloud->{$a}->{count} <=> $cloud->{$b}->{count} } keys %$cloud;
  		return '<p align="center">' . join (', ', map {
- 			"<a href=\"$home_link?by_tag=$_\">$cloud->{$_}->{topname}</a>"
+ 			$cgi->a({-href=>"$home_link?by_tag=$_"}, $cloud->{$_}->{topname})
  		} splice(@tags, 0, $count)) . '</p>';
  	}
  }
@@@ -3209,11 -3210,11 +3216,11 @@@ EO
  	# print out each stylesheet that exist, providing backwards capability
  	# for those people who defined $stylesheet in a config file
  	if (defined $stylesheet) {
- 		print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n";
+ 		print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n";
  	} else {
  		foreach my $stylesheet (@stylesheets) {
  			next unless $stylesheet;
- 			print '<link rel="stylesheet" type="text/css" href="'.$stylesheet.'"/>'."\n";
+ 			print '<link rel="stylesheet" type="text/css" href="'.esc_url($stylesheet).'"/>'."\n";
  		}
  	}
  	if (defined $project) {
@@@ -3226,7 -3227,7 +3233,7 @@@
  			my $type = lc($format);
  			my %link_attr = (
  				'-rel' => 'alternate',
- 				'-title' => "$project - $href_params{'-title'} - $format feed",
+ 				'-title' => esc_attr("$project - $href_params{'-title'} - $format feed"),
  				'-type' => "application/$type+xml"
  			);
  
@@@ -3253,13 -3254,13 +3260,13 @@@
  	} else {
  		printf('<link rel="alternate" title="%s projects list" '.
  		       'href="%s" type="text/plain; charset=utf-8" />'."\n",
- 		       $site_name, href(project=>undef, action=>"project_index"));
+ 		       esc_attr($site_name), href(project=>undef, action=>"project_index"));
  		printf('<link rel="alternate" title="%s projects feeds" '.
  		       'href="%s" type="text/x-opml" />'."\n",
- 		       $site_name, href(project=>undef, action=>"opml"));
+ 		       esc_attr($site_name), href(project=>undef, action=>"opml"));
  	}
  	if (defined $favicon) {
- 		print qq(<link rel="shortcut icon" href="$favicon" type="image/png" />\n);
+ 		print qq(<link rel="shortcut icon" href=").esc_url($favicon).qq(" type="image/png" />\n);
  	}
  
  	print "</head>\n" .
@@@ -3272,7 -3273,7 +3279,7 @@@
  	print "<div class=\"page_header\">\n" .
  	      $cgi->a({-href => esc_url($logo_url),
  	               -title => $logo_label},
- 	              qq(<img src="$logo" width="72" height="27" alt="git" class="logo"/>));
+ 	              qq(<img src=").esc_url($logo).qq(" width="72" height="27" alt="git" class="logo"/>));
  	print $cgi->a({-href => esc_url($home_link)}, $home_link_str) . " / ";
  	if (defined $project) {
  		print $cgi->a({-href => href(action=>"summary")}, esc_html($project));
@@@ -3370,7 -3371,7 +3377,7 @@@ sub git_footer_html 
  		insert_file($site_footer);
  	}
  
- 	print qq!<script type="text/javascript" src="$javascript"></script>\n!;
+ 	print qq!<script type="text/javascript" src="!.esc_url($javascript).qq!"></script>\n!;
  	if (defined $action &&
  	    $action eq 'blame_incremental') {
  		print qq!<script type="text/javascript">\n!.
@@@ -3387,7 -3388,7 +3394,7 @@@
  	      "</html>";
  }
  
 -# die_error(<http_status_code>, <error_message>)
 +# die_error(<http_status_code>, <error_message>[, <detailed_html_description>])
  # Example: die_error(404, 'Hash not found')
  # By convention, use the following status codes (as defined in RFC 2616):
  # 400: Invalid or missing CGI parameters, or
@@@ -3402,7 -3403,7 +3409,7 @@@
  #      or down for maintenance).  Generally, this is a temporary state.
  sub die_error {
  	my $status = shift || 500;
 -	my $error = shift || "Internal server error";
 +	my $error = esc_html(shift) || "Internal Server Error";
  	my $extra = shift;
  
  	my %http_responses = (
@@@ -5382,14 -5383,14 +5389,14 @@@ sub git_blob 
  	} else {
  		print "<div class=\"page_nav\">\n" .
  		      "<br/><br/></div>\n" .
- 		      "<div class=\"title\">$hash</div>\n";
+ 		      "<div class=\"title\">".esc_html($hash)."</div>\n";
  	}
  	git_print_page_path($file_name, "blob", $hash_base);
  	print "<div class=\"page_body\">\n";
  	if ($mimetype =~ m!^image/!) {
- 		print qq!<img type="$mimetype"!;
+ 		print qq!<img type="!.esc_attr($mimetype).qq!"!;
  		if ($file_name) {
- 			print qq! alt="$file_name" title="$file_name"!;
+ 			print qq! alt="!.esc_attr($file_name).qq!" title="!.esc_attr($file_name).qq!"!;
  		}
  		print qq! src="! .
  		      href(action=>"blob_plain", hash=>$hash,
@@@ -5401,7 -5402,8 +5408,8 @@@
  			chomp $line;
  			$nr++;
  			$line = untabify($line);
- 			printf "<div class=\"pre\"><a id=\"l%i\" href=\"" . href(-replay => 1)
+ 			printf "<div class=\"pre\"><a id=\"l%i\" href=\""
+ 				. esc_attr(href(-replay => 1))
  				. "#l%i\" class=\"linenr\">%4i</a> %s</div>\n",
  			       $nr, $nr, $nr, esc_html($line, -nbsp=>1);
  		}
@@@ -5465,7 -5467,7 +5473,7 @@@ sub git_tree 
  		undef $hash_base;
  		print "<div class=\"page_nav\">\n";
  		print "<br/><br/></div>\n";
- 		print "<div class=\"title\">$hash</div>\n";
+ 		print "<div class=\"title\">".esc_html($hash)."</div>\n";
  	}
  	if (defined $file_name) {
  		$basedir = $file_name;
@@@ -5933,7 -5935,7 +5941,7 @@@ sub git_blobdiff 
  			git_print_header_div('commit', esc_html($co{'title'}), $hash_base);
  		} else {
  			print "<div class=\"page_nav\"><br/>$formats_nav<br/></div>\n";
- 			print "<div class=\"title\">$hash vs $hash_parent</div>\n";
+ 			print "<div class=\"title\">".esc_html("$hash vs $hash_parent")."</div>\n";
  		}
  		if (defined $file_name) {
  			git_print_page_path($file_name, "blob", $hash_base);