git/git-prevent_xss-default.diff

From: Jakub Narebski <jnareb@...il.com>
Subject: [PATCH] gitweb: Enable $prevent_xss by default

This fixes issue CVE-2011-2186 originally reported in
https://launchpad.net/bugs/777804

Reported-by: dave b <db.pub.mail@...il.com>
Signed-off-by: Jakub Narebski <jnareb@...il.com>
---
 git-instaweb.sh    |    4 ++++
 gitweb/README      |    5 +++--
 gitweb/gitweb.perl |    2 +-
 3 files changed, 8 insertions(+), 3 deletions(-)

--- a/git-instaweb.sh
+++ b/git-instaweb.sh
@@ -583,6 +583,10 @@
 our \$git_temp = "$fqgitdir/gitweb/tmp";
 our \$projects_list = \$projectroot;
 
+# we can trust our own repository, so disable XSS prevention
+# to enable some extra features
+our \$prevent_xss = 0;
+
 \$feature{'remote_heads'}{'default'} = [1];
 EOF
 }
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -170,7 +170,7 @@
 
 # Disables features that would allow repository owners to inject script into
 # the gitweb domain.
-our $prevent_xss = 0;
+our $prevent_xss = 1;
 
 # Path to the highlight executable to use (must be the one from
 # http://www.andre-simon.de due to assumptions about parameters and output).
Accepting request 74214 from devel:tools:scm - Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456) OBS-URL: https://build.opensuse.org/request/show/74214 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=60 2011-06-21 09:27:47 +02:00			`From: Jakub Narebski <jnareb@...il.com>`
			`Subject: [PATCH] gitweb: Enable $prevent_xss by default`

			`This fixes issue CVE-2011-2186 originally reported in`
			`https://launchpad.net/bugs/777804`

			`Reported-by: dave b <db.pub.mail@...il.com>`
			`Signed-off-by: Jakub Narebski <jnareb@...il.com>`
			`---`
			`git-instaweb.sh \| 4 ++++`
			`gitweb/README \| 5 +++--`
			`gitweb/gitweb.perl \| 2 +-`
			`3 files changed, 8 insertions(+), 3 deletions(-)`

			`--- a/git-instaweb.sh`
			`+++ b/git-instaweb.sh`
			`@@ -583,6 +583,10 @@`
			`our \$git_temp = "$fqgitdir/gitweb/tmp";`
			`our \$projects_list = \$projectroot;`

			`+# we can trust our own repository, so disable XSS prevention`
			`+# to enable some extra features`
			`+our \$prevent_xss = 0;`
			`+`
			`\$feature{'remote_heads'}{'default'} = [1];`
			`EOF`
			`}`
			`--- a/gitweb/gitweb.perl`
			`+++ b/gitweb/gitweb.perl`
Accepting request 74766 from devel:tools:scm - update to 1.7.6: major update from 1.7.5.x * Similar to branch names, tagnames that begin with "-" are now disallowed. * Simpler handling of a large file depending on core.bigfilethreshold value * A magic pathspec ":/" handling * Some new options and improvements in git-blame, git-commit, git-diff git-grep, git-format-patch, git-merge, git-svn, etc * More prepartaion for i18n/l10n. See Documentation/RelNotes/1.7.6.txt for details. - updated to git 1.7.6: see git changelog for more details OBS-URL: https://build.opensuse.org/request/show/74766 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=64 2011-06-28 15:12:53 +02:00			`@@ -170,7 +170,7 @@`
Accepting request 74214 from devel:tools:scm - Fix VUL-1: git-web xss (CVE-2011-2186, bnc#698456) OBS-URL: https://build.opensuse.org/request/show/74214 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/git?expand=0&rev=60 2011-06-21 09:27:47 +02:00
			`# Disables features that would allow repository owners to inject script into`
			`# the gitweb domain.`
			`-our $prevent_xss = 0;`
			`+our $prevent_xss = 1;`

			`# Path to the highlight executable to use (must be the one from`
			`# http://www.andre-simon.de due to assumptions about parameters and output).`