On 2019/03/15 16:05, Ingo Schwarze wrote:
> Hi,
>
> the trouble with cvsweb is that it is important OpenBSD project
> infrastructure (consider cvsweb.openbsd.org) that has been abandoned
> upstream 13 years ago, our version is 16 years old, and the port
> has no maintainer. Does anybody consider it funny to run a software
> in production that is closely related to version control, but
> (according to my knowledge) is not currently under version control
> itself?
>
> Given that i'm still using it on bsd.lv, too, i'm willing to host
> a CVS repo for it and the release tarballs (historic and future)
> on bsd.lv, pick up upstream maintenance, and also maintain the port.
>
> Does that sound reasonable to people round here?
> If so, does anyone know whether a copy of the original CVS repository
> that it resided in still exists somewhere? It seems to have vanished
> from https://svnweb.freebsd.org/base/projects/ ...
Definitely.
> I don't consider the XSS urgent, but it would of course get fixed
> in the process. If people wanted, they could test and commit patches
> to the port beforehand, but i'm not sure it's needed.
I wondered about doing something like this. Untested (I don't have an
installation handy) but it should disable inline scripts and some other
types of content, while still permitting inline css that cvsweb needs.
Index: cvsweb.cgi
--- cvsweb.cgi.orig
+++ cvsweb.cgi
@@ -3572,8 +3572,11 @@ sub http_header(;$) {
if ($is_mod_perl) {
Apache->request->content_type($content_type);
+ Apache->request->header_out(
+ "Content-Security-Policy" => "default-src 'self';
style-src 'self' 'unsafe-inline';");
} else {
print "Content-Type: $content_type\r\n";
+ print "Content-Security-Policy: default-src 'self'; style-src
'self' 'unsafe-inline';\r\n";
}
if ($allow_compress && $maycompress) {
