From 0f0ecf68b31303de7cb428554e27d433fe62180e Mon Sep 17 00:00:00 2001 From: Jeff King Date: Mon, 12 Nov 2012 16:34:28 -0500 Subject: [PATCH] gitweb: escape html in rss title The title of an RSS feed is generated from many components, including the filename provided as a query parameter, but we failed to quote it. Besides showing the wrong output, this is a vector for XSS attacks. Signed-off-by: Jeff King --- gitweb/gitweb.perl | 1 + t/t9502-gitweb-standalone-parse-output.sh | 15 +++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 10ed9e51a5..a51a8babee 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -8055,6 +8055,7 @@ sub git_feed { $feed_type = 'history'; } $title .= " $feed_type"; + $title = esc_html($title); my $descr = git_get_project_description($project); if (defined $descr) { $descr = esc_html($descr); diff --git a/t/t9502-gitweb-standalone-parse-output.sh b/t/t9502-gitweb-standalone-parse-output.sh index 731e64c3ad..3a8e7d3f5a 100755 --- a/t/t9502-gitweb-standalone-parse-output.sh +++ b/t/t9502-gitweb-standalone-parse-output.sh @@ -185,5 +185,20 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' ' test_cmp expected actual ' +xss() { + echo >&2 "Checking $1..." && + gitweb_run "$1" && + if grep "$TAG" gitweb.body; then + echo >&2 "xss: $TAG should have been quoted in output" + return 1 + fi + return 0 +} + +test_expect_success 'xss checks' ' + TAG="" && + xss "a=rss&p=$TAG" && + xss "a=rss&p=foo.git&f=$TAG" +' test_done -- 2.11.4.GIT