diff options
| author | Matt McCutchen <matt@mattmccutchen.net> | 2009-02-07 19:00:09 -0500 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2009-02-08 21:51:25 -0800 |
| commit | 7e1100e9e939c9178b2aa3969349e9e8d34488bf (patch) | |
| tree | a0238a2d09de9d5f9617e72559d5d79398836f45 /gitweb/README | |
| parent | 6e46cc0d9294d5f4ad0c9a6ffd2d9ca82bce8458 (diff) | |
| download | git-7e1100e9e939c9178b2aa3969349e9e8d34488bf.tar.gz git-7e1100e9e939c9178b2aa3969349e9e8d34488bf.tar.xz | |
gitweb: add $prevent_xss option to prevent XSS by repository content
Add a gitweb configuration variable $prevent_xss that disables features
to prevent content in repositories from launching cross-site scripting
(XSS) attacks in the gitweb domain. Currently, this option makes gitweb
ignore README.html (a better solution may be worked out in the future)
and serve a blob_plain file of an untrusted type with
"Content-Disposition: attachment", which tells the browser not to show
the file at its original URL.
The XSS prevention is currently off by default.
Signed-off-by: Matt McCutchen <matt@mattmccutchen.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'gitweb/README')
| -rw-r--r-- | gitweb/README | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/gitweb/README b/gitweb/README index 825162a0b..19ae28ef9 100644 --- a/gitweb/README +++ b/gitweb/README @@ -214,6 +214,11 @@ not include variables usually directly set during build): Rename detection options for git-diff and git-diff-tree. By default ('-M'); set it to ('-C') or ('-C', '-C') to also detect copies, or set it to () if you don't want to have renames detection. + * $prevent_xss + If true, some gitweb features are disabled to prevent content in + repositories from launching cross-site scripting (XSS) attacks. Set this + to true if you don't trust the content of your repositories. The default + is false. Projects list file format @@ -260,7 +265,9 @@ You can use the following files in repository: A .html file (HTML fragment) which is included on the gitweb project summary page inside <div> block element. You can use it for longer description of a project, to provide links (for example to project's - homepage), etc. + homepage), etc. This is recognized only if XSS prevention is off + ($prevent_xss is false); a way to include a readme safely when XSS + prevention is on may be worked out in the future. * description (or gitweb.description) Short (shortened by default to 25 characters in the projects list page) single line description of a project (of a repository). Plain text file; |