mirrors/git
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gitweb: add $prevent_xss option to prevent XSS by repository content

Browse Source 
Add a gitweb configuration variable $prevent_xss that disables features
to prevent content in repositories from launching cross-site scripting
(XSS) attacks in the gitweb domain.  Currently, this option makes gitweb
ignore README.html (a better solution may be worked out in the future)
and serve a blob_plain file of an untrusted type with
"Content-Disposition: attachment", which tells the browser not to show
the file at its original URL.

The XSS prevention is currently off by default.

Signed-off-by: Matt McCutchen <matt@mattmccutchen.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
This commit is contained in:
Matt McCutchen
2009-02-07 19:00:09 -05:00
committed by Junio C Hamano
parent 6e46cc0d92
commit 7e1100e9e9
2 changed files with 27 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
gitweb/gitweb.perl
View File

@ -132,6 +132,10 @@ our $fallback_encoding = 'latin1';
# - one might want to include '-B' option, e.g. '-B', '-M'
our @diff_opts = ('-M'); # taken from git_commit
# Disables features that would allow repository owners to inject script into
# the gitweb domain.
our $prevent_xss = 0;
# information about snapshot formats that gitweb is capable of serving
our %known_snapshot_formats = (
# name => {
@ -4494,7 +4498,9 @@ sub git_summary {
print "</table>\n";
if (-s "$projectroot/$project/README.html") {
# If XSS prevention is on, we don't include README.html.
# TODO: Allow a readme in some safe format.
if (!$prevent_xss && -s "$projectroot/$project/README.html") {
print "<div class=\"title\">readme</div>\n" .
"<div class=\"readme\">\n";
insert_file("$projectroot/$project/README.html");
@ -4739,10 +4745,21 @@ sub git_blob_plain {
$save_as .= '.txt';
}
# With XSS prevention on, blobs of all types except a few known safe
# ones are served with "Content-Disposition: attachment" to make sure
# they don't run in our security domain. For certain image types,
# blob view writes an <img> tag referring to blob_plain view, and we
# want to be sure not to break that by serving the image as an
# attachment (though Firefox 3 doesn't seem to care).
my $sandbox = $prevent_xss &&
$type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!;
print $cgi->header(
-type => $type,
-expires => $expires,
-content_disposition => 'inline; filename="' . $save_as . '"');
-content_disposition =>
($sandbox ? 'attachment' : 'inline')
. '; filename="' . $save_as . '"');
undef $/;
binmode STDOUT, ':raw';
print <$fd>;