1 From: Jakub Narebski <jnareb@...il.com>
2 Subject: [PATCH] gitweb: Enable $prevent_xss by default
4 This fixes issue CVE-2011-2186 originally reported in
5 https://launchpad.net/bugs/777804
7 Reported-by: dave b <db.pub.mail@...il.com>
8 Signed-off-by: Jakub Narebski <jnareb@...il.com>
10 git-instaweb.sh | 4 ++++
11 gitweb/README | 5 +++--
12 gitweb/gitweb.perl | 2 +-
13 3 files changed, 8 insertions(+), 3 deletions(-)
18 our \$git_temp = "$fqgitdir/gitweb/tmp";
19 our \$projects_list = \$projectroot;
21 +# we can trust our own repository, so disable XSS prevention
22 +# to enable some extra features
23 +our \$prevent_xss = 0;
25 \$feature{'remote_heads'}{'default'} = [1];
28 --- a/gitweb/gitweb.perl
29 +++ b/gitweb/gitweb.perl
32 # Disables features that would allow repository owners to inject script into
34 -our $prevent_xss = 0;
35 +our $prevent_xss = 1;
37 # Path to the highlight executable to use (must be the one from
38 # http://www.andre-simon.de due to assumptions about parameters and output).