The file name displayed in the rename hint should be escaped to avoid XSS. Note that this vulnerability is only applicable when an attacker has gained push access to the repository.
Signed-off-by: Lukas Fleischer <[email protected]> --- ui-diff.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ui-diff.c b/ui-diff.c index 868ceec..d97a801 100644 --- a/ui-diff.c +++ b/ui-diff.c @@ -97,10 +97,12 @@ static void print_fileinfo(struct fileinfo *info) htmlf("</td><td class='%s'>", class); cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1, ctx.qry.sha2, info->new_path, 0); - if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) - htmlf(" (%s from %s)", - info->status == DIFF_STATUS_COPIED ? "copied" : "renamed", - info->old_path); + if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) { + htmlf(" (%s from ", + info->status == DIFF_STATUS_COPIED ? "copied" : "renamed"); + html_txt(info->old_path); + html(")"); + } html("</td><td class='right'>"); if (info->binary) { htmlf("bin</td><td class='graph'>%ld -> %ld bytes", -- 1.7.6 _______________________________________________ cgit mailing list [email protected] http://hjemli.net/mailman/listinfo/cgit
