On Sun, Nov 11, 2012 at 6:28 PM, glpk xypron <xypron.glpk@xxxxxx> wrote: > Gitweb can be used to generate an RSS feed. > > Arbitrary tags can be inserted into the XML document describing > the RSS feed by careful construction of the URL. > > Example > http://server/?p=project.git&a=rss&f=</title><script>alert(document.cookie)</script><title> > > The generated XML contains > <script>alert(document.cookie)</script> > > Depending on the system used to render the XML this might lead > to the execution of javascript in the security context of the > gitweb server pages. > > Please, escape all URL parameters. > > Version tested: > gitweb v.1.8.0.dirty with git 1.7.2.5 > > Best regards >> Heinrich Schuchardt Something like this may be useful to defuse the "file" parameter, but I presume a more definitive fix is in order... diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 10ed9e5..af93e65 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -1447,6 +1447,10 @@ sub validate_pathname { if ($input =~ m!\0!) { return undef; } + # No XSS <script></script> inclusions + if ($input =~ m!(<script>)(.*)(</script>)!){ + return undef; + } return $input; } (I am not a perl god, so this was the lowest hanging fruit.) If desired I'll fashion this up into a proper patch. -- -Drew Northup -------------------------------------------------------------- "As opposed to vegetable or mineral error?" -John Pescatore, SANS NewsBites Vol. 12 Num. 59 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html