Skip to content

Commit

Permalink
gitweb: escape html in rss title
Browse files Browse the repository at this point in the history 
The title of an RSS feed is generated from many components,
including the filename provided as a query parameter, but we
failed to quote it.  Besides showing the wrong output, this
is a vector for XSS attacks.

Signed-off-by: Jeff King <peff@peff.net>
  • Loading branch information
Jeff King committed Nov 12, 2012
1 parent 7e20105 commit 0f0ecf6
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 0 deletions.
1 change: 1 addition & 0 deletions gitweb/gitweb.perl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8055,6 +8055,7 @@ sub git_feed {
$feed_type = 'history';
}
$title .= " $feed_type";
$title = esc_html($title);
my $descr = git_get_project_description($project);
if (defined $descr) {
$descr = esc_html($descr);
Expand Down
15 changes: 15 additions & 0 deletions t/t9502-gitweb-standalone-parse-output.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -185,5 +185,20 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' '
test_cmp expected actual
'

xss() {
echo >&2 "Checking $1..." &&
gitweb_run "$1" &&
if grep "$TAG" gitweb.body; then
echo >&2 "xss: $TAG should have been quoted in output"
return 1
fi
return 0
}

test_expect_success 'xss checks' '
TAG="<magic-xss-tag>" &&
xss "a=rss&p=$TAG" &&
xss "a=rss&p=foo.git&f=$TAG"
'

test_done

0 comments on commit 0f0ecf6

Please sign in to comment.