Accepting request 74214 from devel:tools:scm

- Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456) OBS-URL: https://build.opensuse.org/request/show/74214 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=60
2011-06-21 07:27:47 +00:00 · 2011-06-21 07:27:47 +00:00 · 081d9cb109
commit 081d9cb109
parent dd6d976ea2
3 changed files with 60 additions and 0 deletions
--- a/git-prevent_xss-default.diff
+++ b/git-prevent_xss-default.diff
@ -0,0 +1,52 @@
+From: Jakub Narebski <jnareb@...il.com>
+Subject: [PATCH] gitweb: Enable $prevent_xss by default
+
+This fixes issue CVE-2011-2186 originally reported in
+https://launchpad.net/bugs/777804
+
+Reported-by: dave b <db.pub.mail@...il.com>
+Signed-off-by: Jakub Narebski <jnareb@...il.com>
+---
+ git-instaweb.sh    |    4 ++++
+ gitweb/README      |    5 +++--
+ gitweb/gitweb.perl |    2 +-
+ 3 files changed, 8 insertions(+), 3 deletions(-)
+
+--- a/git-instaweb.sh
+++ b/git-instaweb.sh
+@@ -583,6 +583,10 @@
+ our \$git_temp = "$fqgitdir/gitweb/tmp";
+ our \$projects_list = \$projectroot;
+ 
+# we can trust our own repository, so disable XSS prevention
+# to enable some extra features
+our \$prevent_xss = 0;
+
+ \$feature{'remote_heads'}{'default'} = [1];
+ EOF
+ }
+--- a/gitweb/README
+++ b/gitweb/README
+@@ -236,8 +236,9 @@
+  * $prevent_xss
+    If true, some gitweb features are disabled to prevent content in
+    repositories from launching cross-site scripting (XSS) attacks.  Set this
+-   to true if you don't trust the content of your repositories. The default
+-   is false.
+   to false if you trust the content of your repositories, and want to use
+   per-repository README.html, or use gitweb as deployment platform
+   via 'blob_plain' view and path_info links. The default is true.
+  * $maxload
+    Used to set the maximum load that we will still respond to gitweb queries.
+    If server load exceed this value then return "503 Service Unavailable" error.
+--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
+@@ -162,7 +162,7 @@
+ 
+ # Disables features that would allow repository owners to inject script into
+ # the gitweb domain.
+-our $prevent_xss = 0;
+our $prevent_xss = 1;
+ 
+ # Path to the highlight executable to use (must be the one from
+ # http://www.andre-simon.de due to assumptions about parameters and output).
--- a/git.changes
+++ b/git.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jun 17 11:53:21 CEST 2011 - tiwai@suse.de
+
+- Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456)
+
 -------------------------------------------------------------------
 Mon Jun  6 16:02:12 CEST 2011 - tiwai@suse.de

--- a/git.spec
+++ b/git.spec
@ -53,6 +53,8 @@ Source5:        usr.share.git-web.gitweb.cgi
 Patch1:         git-nohardlink.diff
 Patch2:         git-python-install-fix.diff
 Patch3:         completion-wordbreaks.diff
+# CVE-2011-2186, bnc#698456
+Patch4:         git-prevent_xss-default.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires:       git-core = %{version}
 Recommends:     git-svn git-cvs git-email gitk git-gui git-web
@ -262,6 +264,7 @@ This package contains the building blocks for remote helpers written in Python.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1

 %build
 cat > .make <<'EOF'