From: Jakub Narebski Subject: [PATCH] gitweb: Enable $prevent_xss by default This fixes issue CVE-2011-2186 originally reported in https://launchpad.net/bugs/777804 Reported-by: dave b Signed-off-by: Jakub Narebski --- git-instaweb.sh | 4 ++++ gitweb/README | 5 +++-- gitweb/gitweb.perl | 2 +- 3 files changed, 8 insertions(+), 3 deletions(-) Index: git-2.43.1/git-instaweb.sh =================================================================== --- git-2.43.1.orig/git-instaweb.sh +++ git-2.43.1/git-instaweb.sh @@ -721,6 +721,10 @@ our \$projectroot = "$(dirname "$fqgitdi our \$git_temp = "$fqgitdir/gitweb/tmp"; our \$projects_list = \$projectroot; +# we can trust our own repository, so disable XSS prevention +# to enable some extra features +our \$prevent_xss = 0; + \$feature{'remote_heads'}{'default'} = [1]; EOF } Index: git-2.43.1/gitweb/gitweb.perl =================================================================== --- git-2.43.1.orig/gitweb/gitweb.perl +++ git-2.43.1/gitweb/gitweb.perl @@ -194,7 +194,7 @@ our @diff_opts = ('-M'); # taken from gi # Disables features that would allow repository owners to inject script into # the gitweb domain. -our $prevent_xss = 0; +our $prevent_xss = 1; # Path to the highlight executable to use (must be the one from # http://andre-simon.de/zip/download.php due to assumptions about parameters and output).