diff options
| author | Junio C Hamano <gitster@pobox.com> | 2012-11-20 10:37:27 -0800 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2012-11-20 10:37:27 -0800 |
| commit | 79a09bba1cc919f5ea0992db358fb4b14ab2c226 (patch) | |
| tree | 40b89ba60b8c8210030eb64e519f0abd1a8ce739 | |
| parent | 05849c4818342a0e0ecb597fd2452125b00d543e (diff) | |
| parent | 0f0ecf68b31303de7cb428554e27d433fe62180e (diff) | |
| download | git-79a09bba1cc919f5ea0992db358fb4b14ab2c226.tar.gz | |
Merge branch 'jk/maint-gitweb-xss'
Fixes an XSS vulnerability in gitweb.
* jk/maint-gitweb-xss:
gitweb: escape html in rss title
| -rwxr-xr-x | gitweb/gitweb.perl | 1 | ||||
| -rwxr-xr-x | t/t9502-gitweb-standalone-parse-output.sh | 15 |
2 files changed, 16 insertions, 0 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index ce8cb4af16..e8812fa2b9 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -8054,6 +8054,7 @@ sub git_feed { $feed_type = 'history'; } $title .= " $feed_type"; + $title = esc_html($title); my $descr = git_get_project_description($project); if (defined $descr) { $descr = esc_html($descr); diff --git a/t/t9502-gitweb-standalone-parse-output.sh b/t/t9502-gitweb-standalone-parse-output.sh index 731e64c3ad..3a8e7d3f5a 100755 --- a/t/t9502-gitweb-standalone-parse-output.sh +++ b/t/t9502-gitweb-standalone-parse-output.sh @@ -185,5 +185,20 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' ' test_cmp expected actual ' +xss() { + echo >&2 "Checking $1..." && + gitweb_run "$1" && + if grep "$TAG" gitweb.body; then + echo >&2 "xss: $TAG should have been quoted in output" + return 1 + fi + return 0 +} + +test_expect_success 'xss checks' ' + TAG="<magic-xss-tag>" && + xss "a=rss&p=$TAG" && + xss "a=rss&p=foo.git&f=$TAG" +' test_done |