diff options
| author | Matt McCutchen <matt@mattmccutchen.net> | 2009-02-07 19:00:09 -0500 |
|---|---|---|
| committer | Junio C Hamano <gitster@pobox.com> | 2009-02-08 21:51:25 -0800 |
| commit | 7e1100e9e939c9178b2aa3969349e9e8d34488bf (patch) | |
| tree | a0238a2d09de9d5f9617e72559d5d79398836f45 /gitweb/gitweb.perl | |
| parent | 6e46cc0d9294d5f4ad0c9a6ffd2d9ca82bce8458 (diff) | |
| download | git-7e1100e9e939c9178b2aa3969349e9e8d34488bf.tar.gz git-7e1100e9e939c9178b2aa3969349e9e8d34488bf.tar.xz | |
gitweb: add $prevent_xss option to prevent XSS by repository content
Add a gitweb configuration variable $prevent_xss that disables features
to prevent content in repositories from launching cross-site scripting
(XSS) attacks in the gitweb domain. Currently, this option makes gitweb
ignore README.html (a better solution may be worked out in the future)
and serve a blob_plain file of an untrusted type with
"Content-Disposition: attachment", which tells the browser not to show
the file at its original URL.
The XSS prevention is currently off by default.
Signed-off-by: Matt McCutchen <matt@mattmccutchen.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Diffstat (limited to 'gitweb/gitweb.perl')
| -rwxr-xr-x | gitweb/gitweb.perl | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 99f71b47c..bdaa4e946 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -132,6 +132,10 @@ our $fallback_encoding = 'latin1'; # - one might want to include '-B' option, e.g. '-B', '-M' our @diff_opts = ('-M'); # taken from git_commit +# Disables features that would allow repository owners to inject script into +# the gitweb domain. +our $prevent_xss = 0; + # information about snapshot formats that gitweb is capable of serving our %known_snapshot_formats = ( # name => { @@ -4494,7 +4498,9 @@ sub git_summary { print "</table>\n"; - if (-s "$projectroot/$project/README.html") { + # If XSS prevention is on, we don't include README.html. + # TODO: Allow a readme in some safe format. + if (!$prevent_xss && -s "$projectroot/$project/README.html") { print "<div class=\"title\">readme</div>\n" . "<div class=\"readme\">\n"; insert_file("$projectroot/$project/README.html"); @@ -4739,10 +4745,21 @@ sub git_blob_plain { $save_as .= '.txt'; } + # With XSS prevention on, blobs of all types except a few known safe + # ones are served with "Content-Disposition: attachment" to make sure + # they don't run in our security domain. For certain image types, + # blob view writes an <img> tag referring to blob_plain view, and we + # want to be sure not to break that by serving the image as an + # attachment (though Firefox 3 doesn't seem to care). + my $sandbox = $prevent_xss && + $type !~ m!^(?:text/plain|image/(?:gif|png|jpeg))$!; + print $cgi->header( -type => $type, -expires => $expires, - -content_disposition => 'inline; filename="' . $save_as . '"'); + -content_disposition => + ($sandbox ? 'attachment' : 'inline') + . '; filename="' . $save_as . '"'); undef $/; binmode STDOUT, ':raw'; print <$fd>; |