git-commit-vandalism/gitweb
Jeff King a376e37b2c gitweb: escape URLs generated by href()
There's a cross-site scripting problem in gitweb, where it will print
URLs generated by its href() helper without further quoting. This allows
an attacker to point a victim to a specially crafted gitweb URL and
inject arbitrary HTML into the resulting page (which the victim sees as
coming from gitweb).

The base of the URL comes from evaluate_uri(), which pulls the value of
$REQUEST_URI via the CGI module. It tries to strip off $PATH_INFO, but
fails to do so in some cases (including ones that contain special
characters, like "+"). Most of the uses of the URL end up being passed
to "$cgi->a(-href = href())", which will get quoted properly by the CGI
module. But in a few places, we output them ourselves as part of
manually-generated HTML, and whatever was in the original URL will
appear unquoted in the output.

Given that all of the nearby variables placed into this manual HTML
_are_ quoted, it seems like the authors assumed that these URLs would
not need quoting. So it's possible that the bug is actually in
evaluate_uri(), which should be doing a more careful job of stripping
$PATH_INFO. There's some discussion in a comment in that function, as
well as the commit message in 81d3fe9f48 (gitweb: fix wrong base URL
when non-root DirectoryIndex, 2009-02-15). But I'm not sure I understand
it.

Regardless, it's a good idea to quote these values at the point of
insertion into the HTML output:

  1. Even if there is a bug in evaluate_uri(), this would give us
     belt-and-suspenders protection.

  2. evaluate_uri() is only handling the base. Some generated URLs will
     also mention arbitrary refs or filenames in the repositories, and
     these should be quoted anyway.

  3. It should never _hurt_ to quote (and that's what all of the
     $cgi->a() calls are doing already).

So there may be further work here, but this patch at least prevents the
XSS vulnerability, and shouldn't make anything worse.

The test here covers the calls in print_feed_meta(), but I manually
audited every call to href() to see how its output was used, and quoted
appropriately. Most of them are esc_attr(), as they're used in tag
attributes, but I used esc_html() when the URLs were printed bare. The
distinction is largely academic, as one is implemented as a wrapper for
the other.

Reported-by: NAKAYAMA DAISUKE <nakyamad@icloud.com>
Signed-off-by: Jeff King <peff@peff.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
2019-11-18 10:46:56 +09:00
..
static gitweb: Avoid overflowing page body frame with large images 2014-02-20 09:50:14 -08:00
gitweb.perl gitweb: escape URLs generated by href() 2019-11-18 10:46:56 +09:00
INSTALL gitweb: hard-depend on the Digest::MD5 5.8 module 2018-03-05 10:52:27 -08:00
Makefile Merge branch 'rj/gitweb-clean-js' 2011-10-27 12:04:21 -07:00
README gitweb/README: remove reference to git.kernel.org 2013-03-07 11:38:33 -08:00

GIT web Interface
=================

From the git version 1.4.0 gitweb is bundled with git.


Build time gitweb configuration
-------------------------------
There are many configuration variables which affect building gitweb (among
others creating gitweb.cgi out of gitweb.perl by replacing placeholders such
as `++GIT_BINDIR++` by their build-time values).

Building and installing gitweb is described in gitweb's INSTALL file
(in 'gitweb/INSTALL').


Runtime gitweb configuration
----------------------------
Gitweb obtains configuration data from the following sources in the
following order:

1. built-in values (some set during build stage),
2. common system-wide configuration file (`GITWEB_CONFIG_COMMON`,
   defaults to '/etc/gitweb-common.conf'),
3. either per-instance configuration file (`GITWEB_CONFIG`, defaults to
   'gitweb_config.perl' in the same directory as the installed gitweb),
   or if it does not exists then system-wide configuration file
   (`GITWEB_CONFIG_SYSTEM`, defaults to '/etc/gitweb.conf').

Values obtained in later configuration files override values obtained earlier
in above sequence.

You can read defaults in system-wide GITWEB_CONFIG_SYSTEM from GITWEB_CONFIG
by adding

  read_config_file($GITWEB_CONFIG_SYSTEM);

at very beginning of per-instance GITWEB_CONFIG file.  In this case
settings in said per-instance file will override settings from
system-wide configuration file.  Note that read_config_file checks
itself that the $GITWEB_CONFIG_SYSTEM file exists.

The most notable thing that is not configurable at compile time are the
optional features, stored in the '%features' variable.

Ultimate description on how to reconfigure the default features setting
in your `GITWEB_CONFIG` or per-project in `project.git/config` can be found
as comments inside 'gitweb.cgi'.

See also gitweb.conf(5) manpage.


Web server configuration
------------------------
Gitweb can be run as CGI script, as legacy mod_perl application (using
ModPerl::Registry), and as FastCGI script.  You can find some simple examples
in "Example web server configuration" section in INSTALL file for gitweb (in
gitweb/INSTALL).

See "Webserver configuration" and "Advanced web server setup" sections in
gitweb(1) manpage.


AUTHORS
-------
Originally written by:
  Kay Sievers <kay.sievers@vrfy.org>

Any comment/question/concern to:
  Git mailing list <git@vger.kernel.org>