From 081d9cb10976b6e3dd11b2664c6cc96641cfe4e06a943332c2c37384944affdc Mon Sep 17 00:00:00 2001 From: Sascha Peilicke Date: Tue, 21 Jun 2011 07:27:47 +0000 Subject: [PATCH] Accepting request 74214 from devel:tools:scm - Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456) OBS-URL: https://build.opensuse.org/request/show/74214 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=60 --- git-prevent_xss-default.diff | 52 ++++++++++++++++++++++++++++++++++++ git.changes | 5 ++++ git.spec | 3 +++ 3 files changed, 60 insertions(+) create mode 100644 git-prevent_xss-default.diff diff --git a/git-prevent_xss-default.diff b/git-prevent_xss-default.diff new file mode 100644 index 0000000..697be67 --- /dev/null +++ b/git-prevent_xss-default.diff @@ -0,0 +1,52 @@ +From: Jakub Narebski +Subject: [PATCH] gitweb: Enable $prevent_xss by default + +This fixes issue CVE-2011-2186 originally reported in +https://launchpad.net/bugs/777804 + +Reported-by: dave b +Signed-off-by: Jakub Narebski +--- + git-instaweb.sh | 4 ++++ + gitweb/README | 5 +++-- + gitweb/gitweb.perl | 2 +- + 3 files changed, 8 insertions(+), 3 deletions(-) + +--- a/git-instaweb.sh ++++ b/git-instaweb.sh +@@ -583,6 +583,10 @@ + our \$git_temp = "$fqgitdir/gitweb/tmp"; + our \$projects_list = \$projectroot; + ++# we can trust our own repository, so disable XSS prevention ++# to enable some extra features ++our \$prevent_xss = 0; ++ + \$feature{'remote_heads'}{'default'} = [1]; + EOF + } +--- a/gitweb/README ++++ b/gitweb/README +@@ -236,8 +236,9 @@ + * $prevent_xss + If true, some gitweb features are disabled to prevent content in + repositories from launching cross-site scripting (XSS) attacks. Set this +- to true if you don't trust the content of your repositories. The default +- is false. ++ to false if you trust the content of your repositories, and want to use ++ per-repository README.html, or use gitweb as deployment platform ++ via 'blob_plain' view and path_info links. The default is true. + * $maxload + Used to set the maximum load that we will still respond to gitweb queries. + If server load exceed this value then return "503 Service Unavailable" error. +--- a/gitweb/gitweb.perl ++++ b/gitweb/gitweb.perl +@@ -162,7 +162,7 @@ + + # Disables features that would allow repository owners to inject script into + # the gitweb domain. +-our $prevent_xss = 0; ++our $prevent_xss = 1; + + # Path to the highlight executable to use (must be the one from + # http://www.andre-simon.de due to assumptions about parameters and output). diff --git a/git.changes b/git.changes index 11b1a5c..a8a1f80 100644 --- a/git.changes +++ b/git.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Fri Jun 17 11:53:21 CEST 2011 - tiwai@suse.de + +- Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456) + ------------------------------------------------------------------- Mon Jun 6 16:02:12 CEST 2011 - tiwai@suse.de diff --git a/git.spec b/git.spec index 84d5a91..2e55cd0 100644 --- a/git.spec +++ b/git.spec @@ -53,6 +53,8 @@ Source5: usr.share.git-web.gitweb.cgi Patch1: git-nohardlink.diff Patch2: git-python-install-fix.diff Patch3: completion-wordbreaks.diff +# CVE-2011-2186, bnc#698456 +Patch4: git-prevent_xss-default.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires: git-core = %{version} Recommends: git-svn git-cvs git-email gitk git-gui git-web @@ -262,6 +264,7 @@ This package contains the building blocks for remote helpers written in Python. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 %build cat > .make <<'EOF'