Search
j0ke.net Open Build Service
>
Projects
>
home:opeter
>
git
> git-prevent_xss-default.diff
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File git-prevent_xss-default.diff of Package git (Revision 1)
Currently displaying revision
1
,
show latest
From: Jakub Narebski <jnareb@...il.com> Subject: [PATCH] gitweb: Enable $prevent_xss by default This fixes issue CVE-2011-2186 originally reported in https://launchpad.net/bugs/777804 Reported-by: dave b <db.pub.mail@...il.com> Signed-off-by: Jakub Narebski <jnareb@...il.com> --- git-instaweb.sh | 4 ++++ gitweb/README | 5 +++-- gitweb/gitweb.perl | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) --- a/git-instaweb.sh +++ b/git-instaweb.sh @@ -583,6 +583,10 @@ our \$git_temp = "$fqgitdir/gitweb/tmp"; our \$projects_list = \$projectroot; +# we can trust our own repository, so disable XSS prevention +# to enable some extra features +our \$prevent_xss = 0; + \$feature{'remote_heads'}{'default'} = [1]; EOF } --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -170,7 +170,7 @@ # Disables features that would allow repository owners to inject script into # the gitweb domain. -our $prevent_xss = 0; +our $prevent_xss = 1; # Path to the highlight executable to use (must be the one from # http://www.andre-simon.de due to assumptions about parameters and output).