Antonio Teixeira
b80926ddde
* "git checkout --ours" (no other arguments) complained that the
option is incompatible with branch switching, which is technically
correct, but found confusing by some users. It now says that the
user needs to give pathspec to specify what paths to checkout.
* It has been documented that we avoid "VAR=VAL shell_func" and why.
* "git add -p" by users with diff.suppressBlankEmpty set to true
failed to parse the patch that represents an unmodified empty line
with an empty line (not a line with a single space on it), which
has been corrected.
* "git rebase --help" referred to "offset" (the difference between
the location a change was taken from and the change gets replaced)
incorrectly and called it "fuzz", which has been corrected.
* "git notes add -m '' --allow-empty" and friends that take prepared
data to create notes should not invoke an editor, but it started
doing so since Git 2.42, which has been corrected.
* An expensive operation to prepare tracing was done in re-encoding
code path even when the tracing was not requested, which has been
corrected.
* Perforce tests have been updated.
* The credential helper to talk to OSX keychain sometimes sent
garbage bytes after the username, which has been corrected.
* A recent update broke "git ls-remote" used outside a repository,
which has been corrected.
* "git config --value=foo --fixed-value section.key newvalue" barfed
when the existing value in the configuration file used the
valueless true syntax, which has been corrected.
* "git reflog expire" failed to honor annotated tags when computing
reachable commits.
* A flakey test and incorrect calls to strtoX() functions have been
OBS-URL: https://build.opensuse.org/package/show/devel:tools:scm/git?expand=0&rev=656
43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
From: Jakub Narebski <jnareb@...il.com>
|
|
Subject: [PATCH] gitweb: Enable $prevent_xss by default
|
|
|
|
This fixes issue CVE-2011-2186 originally reported in
|
|
https://launchpad.net/bugs/777804
|
|
|
|
Reported-by: dave b <db.pub.mail@...il.com>
|
|
Signed-off-by: Jakub Narebski <jnareb@...il.com>
|
|
---
|
|
git-instaweb.sh | 4 ++++
|
|
gitweb/README | 5 +++--
|
|
gitweb/gitweb.perl | 2 +-
|
|
3 files changed, 8 insertions(+), 3 deletions(-)
|
|
|
|
Index: git-2.43.1/git-instaweb.sh
|
|
===================================================================
|
|
--- git-2.43.1.orig/git-instaweb.sh
|
|
+++ git-2.43.1/git-instaweb.sh
|
|
@@ -721,6 +721,10 @@ our \$projectroot = "$(dirname "$fqgitdi
|
|
our \$git_temp = "$fqgitdir/gitweb/tmp";
|
|
our \$projects_list = \$projectroot;
|
|
|
|
+# we can trust our own repository, so disable XSS prevention
|
|
+# to enable some extra features
|
|
+our \$prevent_xss = 0;
|
|
+
|
|
\$feature{'remote_heads'}{'default'} = [1];
|
|
EOF
|
|
}
|
|
Index: git-2.43.1/gitweb/gitweb.perl
|
|
===================================================================
|
|
--- git-2.43.1.orig/gitweb/gitweb.perl
|
|
+++ git-2.43.1/gitweb/gitweb.perl
|
|
@@ -194,7 +194,7 @@ our @diff_opts = ('-M'); # taken from gi
|
|
|
|
# Disables features that would allow repository owners to inject script into
|
|
# the gitweb domain.
|
|
-our $prevent_xss = 0;
|
|
+our $prevent_xss = 1;
|
|
|
|
# Path to the highlight executable to use (must be the one from
|
|
# http://andre-simon.de/zip/download.php due to assumptions about parameters and output).
|