From: Jakub Narebski <jnareb@...il.com>
Subject: [PATCH] gitweb: Enable $prevent_xss by default

This fixes issue CVE-2011-2186 originally reported in
https://launchpad.net/bugs/777804

Reported-by: dave b <db.pub.mail@...il.com>
Signed-off-by: Jakub Narebski <jnareb@...il.com>
---
 git-instaweb.sh    |    4 ++++
 gitweb/README      |    5 +++--
 gitweb/gitweb.perl |    2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

--- a/git-instaweb.sh
+++ b/git-instaweb.sh
@@ -583,6 +583,10 @@
 our \$git_temp = "$fqgitdir/gitweb/tmp";
 our \$projects_list = \$projectroot;
 
+# we can trust our own repository, so disable XSS prevention
+# to enable some extra features
+our \$prevent_xss = 0;
+
 \$feature{'remote_heads'}{'default'} = [1];
 EOF
 }
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -170,7 +170,7 @@
 
 # Disables features that would allow repository owners to inject script into
 # the gitweb domain.
-our $prevent_xss = 0;
+our $prevent_xss = 1;
 
 # Path to the highlight executable to use (must be the one from
 # http://www.andre-simon.de due to assumptions about parameters and output).