diff options
| author | Jeff King <peff@peff.net> | 2012-11-12 16:34:28 -0500 |
|---|---|---|
| committer | Jeff King <peff@peff.net> | 2012-11-12 16:34:53 -0500 |
| commit | 0f0ecf68b31303de7cb428554e27d433fe62180e (patch) | |
| tree | d1f8f5902fb5ff6dd45ba21e6fce2a5d6e7f185d | |
| parent | 7e2010537e96d0a1144520222f20ba1dc3d61441 (diff) | |
| download | git-0f0ecf68b31303de7cb428554e27d433fe62180e.tar.gz | |
gitweb: escape html in rss title
The title of an RSS feed is generated from many components,
including the filename provided as a query parameter, but we
failed to quote it. Besides showing the wrong output, this
is a vector for XSS attacks.
Signed-off-by: Jeff King <peff@peff.net>
| -rwxr-xr-x | gitweb/gitweb.perl | 1 | ||||
| -rwxr-xr-x | t/t9502-gitweb-standalone-parse-output.sh | 15 |
2 files changed, 16 insertions, 0 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 10ed9e51a5..a51a8babee 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -8055,6 +8055,7 @@ sub git_feed { $feed_type = 'history'; } $title .= " $feed_type"; + $title = esc_html($title); my $descr = git_get_project_description($project); if (defined $descr) { $descr = esc_html($descr); diff --git a/t/t9502-gitweb-standalone-parse-output.sh b/t/t9502-gitweb-standalone-parse-output.sh index 731e64c3ad..3a8e7d3f5a 100755 --- a/t/t9502-gitweb-standalone-parse-output.sh +++ b/t/t9502-gitweb-standalone-parse-output.sh @@ -185,5 +185,20 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' ' test_cmp expected actual ' +xss() { + echo >&2 "Checking $1..." && + gitweb_run "$1" && + if grep "$TAG" gitweb.body; then + echo >&2 "xss: $TAG should have been quoted in output" + return 1 + fi + return 0 +} + +test_expect_success 'xss checks' ' + TAG="<magic-xss-tag>" && + xss "a=rss&p=$TAG" && + xss "a=rss&p=foo.git&f=$TAG" +' test_done |