10c5d9e91c
- Implement %check via make test - Update to v1.7.8 New features: * The date parser now accepts timezone designators that lack minutes part and also has a colon between "hh:mm". * The contents of the /etc/mailname file, if exists, is used as the default value of the hostname part of the committer/author e-mail. * "git am" learned how to read from patches generated by Hg. * "git archive" talking with a remote repository can report errors from the remote side in a more informative way. * "git branch" learned an explicit --list option to ask for branches listed, optionally with a glob matching pattern to limit its output. * "git check-attr" learned "--cached" option to look at .gitattributes files from the index, not from the working tree. * Variants of "git cherry-pick" and "git revert" that take multiple commits learned to "--continue" and "--abort". * "git daemon" gives more human readble error messages to clients using ERR packets when appropriate. * Errors at the network layer is logged by "git daemon". * "git diff" learned "--minimal" option to spend extra cycles to come up with a minimal patch output. * "git diff" learned "--function-context" option to show the whole function as context that was affected by a change. * "git difftool" can be told to skip launching the tool for a path by answering 'n' to its prompt. * "git fetch" learned to honor transfer.fsckobjects configuration to validate the objects that were received from the other end, just like "git receive-pack" (the receiving end of "git push") does. * "git fetch" makes sure that the set of objects it received from the (forwarded request 96521 from namtrac) OBS-URL: https://build.opensuse.org/request/show/96975 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=79
39 lines
1.1 KiB
Diff
39 lines
1.1 KiB
Diff
From: Jakub Narebski <jnareb@...il.com>
|
|
Subject: [PATCH] gitweb: Enable $prevent_xss by default
|
|
|
|
This fixes issue CVE-2011-2186 originally reported in
|
|
https://launchpad.net/bugs/777804
|
|
|
|
Reported-by: dave b <db.pub.mail@...il.com>
|
|
Signed-off-by: Jakub Narebski <jnareb@...il.com>
|
|
---
|
|
git-instaweb.sh | 4 ++++
|
|
gitweb/README | 5 +++--
|
|
gitweb/gitweb.perl | 2 +-
|
|
3 files changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
--- a/git-instaweb.sh
|
|
+++ b/git-instaweb.sh
|
|
@@ -583,6 +583,10 @@
|
|
our \$git_temp = "$fqgitdir/gitweb/tmp";
|
|
our \$projects_list = \$projectroot;
|
|
|
|
+# we can trust our own repository, so disable XSS prevention
|
|
+# to enable some extra features
|
|
+our \$prevent_xss = 0;
|
|
+
|
|
\$feature{'remote_heads'}{'default'} = [1];
|
|
EOF
|
|
}
|
|
--- a/gitweb/gitweb.perl
|
|
+++ b/gitweb/gitweb.perl
|
|
@@ -170,7 +170,7 @@
|
|
|
|
# Disables features that would allow repository owners to inject script into
|
|
# the gitweb domain.
|
|
-our $prevent_xss = 0;
|
|
+our $prevent_xss = 1;
|
|
|
|
# Path to the highlight executable to use (must be the one from
|
|
# http://www.andre-simon.de due to assumptions about parameters and output).
|