> -----Original Message----- > From: Drew Northup > Sent: Monday, November 12, 2012 1:56 PM > > On Sun, Nov 11, 2012 at 6:28 PM, glpk xypron <xypron.glpk@xxxxxx> > wrote: > > Gitweb can be used to generate an RSS feed. > > > > Arbitrary tags can be inserted into the XML document describing > > the RSS feed by careful construction of the URL. > > > > Example > > > http://server/?p=project.git&a=rss&f=</title><script>alert(document.coo > kie)</script><title> > > > > The generated XML contains > > <script>alert(document.cookie)</script> This is just an example. > > > > Depending on the system used to render the XML this might lead > > to the execution of javascript in the security context of the > > gitweb server pages. > > > > Please, escape all URL parameters. We should look for the general entry points, not the script tag. > > > > Version tested: > > gitweb v.1.8.0.dirty with git 1.7.2.5 > > > > Best regards > >> Heinrich Schuchardt > > Something like this may be useful to defuse the "file" parameter, but > I presume a more definitive fix is in order... > > diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl > index 10ed9e5..af93e65 100755 > --- a/gitweb/gitweb.perl > +++ b/gitweb/gitweb.perl > @@ -1447,6 +1447,10 @@ sub validate_pathname { > if ($input =~ m!\0!) { > return undef; > } > + # No XSS <script></script> inclusions ### not real perl... foreach $xml in ( <, >, &, ...) { $input=~s/$xml/xmlescape{$xml}/g; } ### "<" => "<" > + if ($input =~ m!(<script>)(.*)(</script>)!){ > + return undef; > + } > return $input; > } >
<<attachment: smime.p7s>>