kernel-tools/git
SHA256
7
0
Fork 0
forked from pool/git
Code Pull Requests Activity
Files
64cea07b173ec31bf697d5191902a6fecb50da5dc4f88537bc2930aade10c87a
git/git-prevent_xss-default.diff
Dirk Mueller 483dbc7bc8 - Update to version 2.46.2: 
* Revert the "git patch-id" change that went into 2.46.1,
    as it seems to have got a regression reported (I haven't verified,
    but it is better to keep a known breakage than adding an unintended
    regression).
  * In a few corner cases "git diff --exit-code" failed to report
    "changes" (e.g., renamed without any content change), which has
    been corrected.
  * The interpret-trailers command failed to recognise the end of the
    message when the commit log ends in an incomplete line.

OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/git?expand=0&rev=658
2024-10-09 09:34:47 +00:00

43 lines
1.4 KiB
Diff
Raw Blame History

From: Jakub Narebski <jnareb@...il.com>
Subject: [PATCH] gitweb: Enable $prevent_xss by default
This fixes issue CVE-2011-2186 originally reported in
https://launchpad.net/bugs/777804
Reported-by: dave b <db.pub.mail@...il.com>
Signed-off-by: Jakub Narebski <jnareb@...il.com>
---
git-instaweb.sh | 4 ++++
gitweb/README | 5 +++--
gitweb/gitweb.perl | 2 +-
3 files changed, 8 insertions(+), 3 deletions(-)
Index: git-2.43.1/git-instaweb.sh
===================================================================
--- git-2.43.1.orig/git-instaweb.sh
+++ git-2.43.1/git-instaweb.sh
@@ -721,6 +721,10 @@ our \$projectroot = "$(dirname "$fqgitdi
our \$git_temp = "$fqgitdir/gitweb/tmp";
our \$projects_list = \$projectroot;
+# we can trust our own repository, so disable XSS prevention
+# to enable some extra features
+our \$prevent_xss = 0;
+
\$feature{'remote_heads'}{'default'} = [1];
EOF
}
Index: git-2.43.1/gitweb/gitweb.perl
===================================================================
--- git-2.43.1.orig/gitweb/gitweb.perl
+++ git-2.43.1/gitweb/gitweb.perl
@@ -194,7 +194,7 @@ our @diff_opts = ('-M'); # taken from gi
# Disables features that would allow repository owners to inject script into
# the gitweb domain.
-our $prevent_xss = 0;
+our $prevent_xss = 1;
# Path to the highlight executable to use (must be the one from
# http://andre-simon.de/zip/download.php due to assumptions about parameters and output).
View Git Blame Copy Permalink