From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <git-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN: AS31976 209.132.180.0/23
X-Spam-Status: No, score=-3.9 required=3.0 tests=AWL,BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,
	SPF_HELO_NONE,SPF_NONE shortcircuit=no autolearn=ham
	autolearn_force=no version=3.4.2
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by dcvr.yhbt.net (Postfix) with ESMTP id 088A91F4B5
	for <e@80x24.org>; Fri, 15 Nov 2019 09:05:48 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727146AbfKOJFr (ORCPT <rfc822;e@80x24.org>);
        Fri, 15 Nov 2019 04:05:47 -0500
Received: from cloud.peff.net ([104.130.231.41]:48228 "HELO cloud.peff.net"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP
        id S1725829AbfKOJFr (ORCPT <rfc822;git@vger.kernel.org>);
        Fri, 15 Nov 2019 04:05:47 -0500
Received: (qmail 31629 invoked by uid 109); 15 Nov 2019 09:05:46 -0000
Received: from Unknown (HELO peff.net) (10.0.1.2)
 by cloud.peff.net (qpsmtpd/0.94) with SMTP; Fri, 15 Nov 2019 09:05:46 +0000
Authentication-Results: cloud.peff.net; auth=none
Received: (qmail 16362 invoked by uid 111); 15 Nov 2019 09:09:22 -0000
Received: from sigill.intra.peff.net (HELO sigill.intra.peff.net) (10.0.0.7)
 by peff.net (qpsmtpd/0.94) with (TLS_AES_256_GCM_SHA384 encrypted) ESMTPS; Fri, 15 Nov 2019 04:09:22 -0500
Authentication-Results: peff.net; auth=none
Date:   Fri, 15 Nov 2019 04:05:45 -0500
From:   Jeff King <peff@peff.net>
To:     git@vger.kernel.org
Cc:     NAKAYAMA DAISUKE <nakyamad@icloud.com>
Subject: [PATCH 0/4] gitweb: quote base url more consistently
Message-ID: <20191115090545.GA30971@sigill.intra.peff.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Sender: git-owner@vger.kernel.org
Precedence: bulk
List-ID: <git.vger.kernel.org>
X-Mailing-List: git@vger.kernel.org

This series fixes an XSS issue reported to the git-security list where
gitweb doesn't always quote its base url, meaning a specially-crafted
URL can inject HTML into the finished page. Given the relatively low
severity of the problem and my lack of familiarity with gitweb, it makes
sense to me to just discuss this one in the open.

Credit for the finding the problem (and some patient explanations) goes
to NAKAYAMA DAISUKE <nakyamad@icloud.com>.

  [1/4]: t9502: pass along all arguments in xss helper
  [2/4]: t/gitweb-lib.sh: drop confusing quotes
  [3/4]: t/gitweb-lib.sh: set $REQUEST_URI
  [4/4]: gitweb: escape URLs generated by href()

 gitweb/gitweb.perl                        | 31 +++++++++++++----------
 t/gitweb-lib.sh                           |  7 ++---
 t/t9502-gitweb-standalone-parse-output.sh |  7 ++---
 3 files changed, 25 insertions(+), 20 deletions(-)

-Peff