Git https://git.stealer.net/cgit.cgi/user/sven/git.git/atom?h=v2.26.0-rc2 2020-01-08T20:44:11Z 2020-01-08T20:44:11Z Junio C Hamano gitster@pobox.com 2020-01-08T20:44:11Z urn:sha1:c5dc20638baf54c43092ee676e0692cba954b194 Typofix. * do/gitweb-typofix-in-comments: gitweb: fix a couple spelling errors in comments 2020-01-04T23:09:33Z Denis Ovsienko denis@ovsienko.info 2020-01-04T17:39:26Z urn:sha1:4e2c4c0d4f0e44909a7e38caadbb79ef9534f3e2 Signed-off-by: Denis Ovsienko <denis@ovsienko.info> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2019-12-01T17:04:41Z Junio C Hamano gitster@pobox.com 2019-12-01T17:04:41Z urn:sha1:6c630f237e72d3adef8a089bdf984ec1e47b2708 Some codepaths in "gitweb" that forgot to escape URLs generated based on end-user input have been corrected. * jk/gitweb-anti-xss: gitweb: escape URLs generated by href() t/gitweb-lib.sh: set $REQUEST_URI t/gitweb-lib.sh: drop confusing quotes t9502: pass along all arguments in xss helper 2019-12-01T17:04:35Z Junio C Hamano gitster@pobox.com 2019-12-01T17:04:35Z urn:sha1:d3096d2ba68aa6814d531317433f1cdcd76ba55c Docfix. * en/doc-typofix: Fix spelling errors in no-longer-updated-from-upstream modules multimail: fix a few simple spelling errors sha1dc: fix trivial comment spelling error Fix spelling errors in test commands Fix spelling errors in messages shown to users Fix spelling errors in names of tests Fix spelling errors in comments of testcases Fix spelling errors in code comments Fix spelling errors in documentation outside of Documentation/ Documentation: fix a bunch of typos, both old and new 2019-11-18T01:46:56Z Jeff King peff@peff.net 2019-11-15T09:06:07Z urn:sha1:a376e37b2c418b8f630741552d76a5b18c87c133 There's a cross-site scripting problem in gitweb, where it will print URLs generated by its href() helper without further quoting. This allows an attacker to point a victim to a specially crafted gitweb URL and inject arbitrary HTML into the resulting page (which the victim sees as coming from gitweb). The base of the URL comes from evaluate_uri(), which pulls the value of $REQUEST_URI via the CGI module. It tries to strip off $PATH_INFO, but fails to do so in some cases (including ones that contain special characters, like "+"). Most of the uses of the URL end up being passed to "$cgi->a(-href = href())", which will get quoted properly by the CGI module. But in a few places, we output them ourselves as part of manually-generated HTML, and whatever was in the original URL will appear unquoted in the output. Given that all of the nearby variables placed into this manual HTML _are_ quoted, it seems like the authors assumed that these URLs would not need quoting. So it's possible that the bug is actually in evaluate_uri(), which should be doing a more careful job of stripping $PATH_INFO. There's some discussion in a comment in that function, as well as the commit message in 81d3fe9f48 (gitweb: fix wrong base URL when non-root DirectoryIndex, 2009-02-15). But I'm not sure I understand it. Regardless, it's a good idea to quote these values at the point of insertion into the HTML output: 1. Even if there is a bug in evaluate_uri(), this would give us belt-and-suspenders protection. 2. evaluate_uri() is only handling the base. Some generated URLs will also mention arbitrary refs or filenames in the repositories, and these should be quoted anyway. 3. It should never _hurt_ to quote (and that's what all of the $cgi->a() calls are doing already). So there may be further work here, but this patch at least prevents the XSS vulnerability, and shouldn't make anything worse. The test here covers the calls in print_feed_meta(), but I manually audited every call to href() to see how its output was used, and quoted appropriately. Most of them are esc_attr(), as they're used in tag attributes, but I used esc_html() when the URLs were printed bare. The distinction is largely academic, as one is implemented as a wrapper for the other. Reported-by: NAKAYAMA DAISUKE <nakyamad@icloud.com> Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2019-11-10T07:00:54Z Elijah Newren newren@gmail.com 2019-11-05T17:07:23Z urn:sha1:15beaaa3d1f6b555900446deb5e376b4f806d734 Reported-by: Jens Schleusener <Jens.Schleusener@fossies.org> Signed-off-by: Elijah Newren <newren@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2019-10-28T02:06:57Z Robert Luberda robert@debian.org 2019-10-27T09:14:26Z urn:sha1:52bd3e46574baecf06562d4da857ba445981beb9 Without this change, the setting $feature{'javascript-actions'}{'default'} = [1]; in gitweb.conf breaks gitweb's blame page: clicking on line numbers displayed in the second column on the page has no effect. For comparison, with javascript-actions disabled, clicking on line numbers loads the previous version of the line. Addresses https://bugs.debian.org/741883. Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> Signed-off-by: Robert Luberda <robert@debian.org> Acked-by: Jakub Narębski <jnareb@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2019-04-01T02:57:39Z brian m. carlson sandals@crustytoothpaste.net 2019-02-19T00:05:26Z urn:sha1:cfb049119c9e8b8f66a2e1faf1621ac48f714412 Gitweb has several hard-coded 40 values throughout it to check for values that are passed in or acquired from Git. To simplify the code, introduce a regex variable that matches either exactly 40 or exactly 64 hex characters, and use this variable anywhere we would have previously hard-coded a 40 in a regex. Add some helper functions which allow us to write tighter regexes that match exactly the number of hex characters we're expecting. Similarly, switch the code that looks for deleted diffinfo information to look for either 40 or 64 zeros, and update one piece of code to use this function. Finally, when formatting a log line, allow an abbreviated describe output to contain up to 64 characters. Helped-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2018-03-05T18:52:27Z Ævar Arnfjörð Bjarmason avarab@gmail.com 2018-03-03T15:38:08Z urn:sha1:7d5b30e09fc705b84bba57ac655263ab6d8f71a6 Since my d48b284183 ("perl: bump the required Perl version to 5.8 from 5.6.[21]", 2010-09-24), we've depended on 5.8, so there's no reason to conditionally require Digest::MD5 anymore. It was released with perl v5.7.3[1] The initial introduction of the dependency in e9fdd74e53 ("gitweb: (gr)avatar support", 2009-06-30) says as much, this also undoes part of the later 2e9c8789b7 ("gitweb: Mention optional Perl modules in INSTALL", 2011-02-04) since gitweb will always be run on at least 5.8, so there's no need to mention Digest::MD5 as a required module in the documentation, let's instead say that we require perl 5.8. 1. $ corelist Digest::MD5 Data for 2015-02-14 Digest::MD5 was first released with perl v5.7.3 Signed-off-by: Ævar Arnfjörð Bjarmason <avarab@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com> 2017-11-06T05:24:30Z Junio C Hamano gitster@pobox.com 2017-11-06T05:24:30Z urn:sha1:9c958d69061b991097827fc53910dcb1b4f80485 "gitweb" checks if a directory is searchable with Perl's "-x" operator, which can be enhanced by using "filetest 'access'" pragma, which now we do. * gc/gitweb-filetest-acl: gitweb: use filetest to allow ACLs