git/git-prevent_xss-default.diff

43 lines
1.4 KiB
Diff
Raw Normal View History

- Update to version 2.46.1; * "git checkout --ours" (no other arguments) complained that the option is incompatible with branch switching, which is technically correct, but found confusing by some users. It now says that the user needs to give pathspec to specify what paths to checkout. * It has been documented that we avoid "VAR=VAL shell_func" and why. * "git add -p" by users with diff.suppressBlankEmpty set to true failed to parse the patch that represents an unmodified empty line with an empty line (not a line with a single space on it), which has been corrected. * "git rebase --help" referred to "offset" (the difference between the location a change was taken from and the change gets replaced) incorrectly and called it "fuzz", which has been corrected. * "git notes add -m '' --allow-empty" and friends that take prepared data to create notes should not invoke an editor, but it started doing so since Git 2.42, which has been corrected. * An expensive operation to prepare tracing was done in re-encoding code path even when the tracing was not requested, which has been corrected. * Perforce tests have been updated. * The credential helper to talk to OSX keychain sometimes sent garbage bytes after the username, which has been corrected. * A recent update broke "git ls-remote" used outside a repository, which has been corrected. * "git config --value=foo --fixed-value section.key newvalue" barfed when the existing value in the configuration file used the valueless true syntax, which has been corrected. * "git reflog expire" failed to honor annotated tags when computing reachable commits. * A flakey test and incorrect calls to strtoX() functions have been OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/git?expand=0&rev=656
2024-09-20 14:52:53 +02:00
From: Jakub Narebski <jnareb@...il.com>
Subject: [PATCH] gitweb: Enable $prevent_xss by default
This fixes issue CVE-2011-2186 originally reported in
https://launchpad.net/bugs/777804
Reported-by: dave b <db.pub.mail@...il.com>
Signed-off-by: Jakub Narebski <jnareb@...il.com>
---
git-instaweb.sh | 4 ++++
gitweb/README | 5 +++--
gitweb/gitweb.perl | 2 +-
3 files changed, 8 insertions(+), 3 deletions(-)
Index: git-2.43.1/git-instaweb.sh
===================================================================
--- git-2.43.1.orig/git-instaweb.sh
+++ git-2.43.1/git-instaweb.sh
@@ -721,6 +721,10 @@ our \$projectroot = "$(dirname "$fqgitdi
our \$git_temp = "$fqgitdir/gitweb/tmp";
our \$projects_list = \$projectroot;
+# we can trust our own repository, so disable XSS prevention
+# to enable some extra features
+our \$prevent_xss = 0;
+
\$feature{'remote_heads'}{'default'} = [1];
EOF
}
Index: git-2.43.1/gitweb/gitweb.perl
===================================================================
--- git-2.43.1.orig/gitweb/gitweb.perl
+++ git-2.43.1/gitweb/gitweb.perl
@@ -194,7 +194,7 @@ our @diff_opts = ('-M'); # taken from gi
# Disables features that would allow repository owners to inject script into
# the gitweb domain.
-our $prevent_xss = 0;
+our $prevent_xss = 1;
# Path to the highlight executable to use (must be the one from
# http://andre-simon.de/zip/download.php due to assumptions about parameters and output).