Package: gitweb Version: 1:2.39.2-1.1 Severity: minor Tags: patch ``` gitweb.cgi: Use of uninitialized value $params{"action"} in string eq at /usr/lib/cgi-bin/gitweb.cgi line 1432. ```
Patch is attached. -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.5.0-3-amd64 (SMP w/8 CPU threads; PREEMPT) Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gitweb depends on: ii git 1:2.42.0-1 ii libcgi-pm-perl 4.57-1 ii perl 5.36.0-9 Versions of packages gitweb recommends: ii libhttp-date-perl 6.05-2 ii lynx 2.9.0dev.12-1 ii nginx [httpd] 1.24.0-2 Versions of packages gitweb suggests: pn git-doc <none> ii nginx [httpd-cgi] 1.24.0-2 -- .''`. martin f. krafft <madduck@d.o> : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems
--- /tmp/gitweb.cgi 2024-01-08 08:32:37.267888437 +0100 +++ /usr/lib/cgi-bin/gitweb.cgi 2024-01-08 08:34:06.427008372 +0100 @@ -1427,13 +1427,16 @@ $href .= "/".esc_path_info($params{'project'}); delete $params{'project'}; - # since we destructively absorb parameters, we keep this - # boolean that remembers if we're handling a snapshot - my $is_snapshot = $params{'action'} eq 'snapshot'; + # since we destructively absorb parameters, we keep + # this boolean that remembers if we're handling a + # snapshot (see next conditional) + my $is_snapshot = 0; # Summary just uses the project path URL, any other action is # added to the URL if (defined $params{'action'}) { + $is_snapshot = $params{'action'} eq 'snapshot'; + $href .= "/".esc_path_info($params{'action'}) unless $params{'action'} eq 'summary'; delete $params{'action'};