Package: gitweb
Version: 1:2.39.2-1.1
Severity: minor
Tags: patch
```
gitweb.cgi: Use of uninitialized value $params{"action"} in string eq at
/usr/lib/cgi-bin/gitweb.cgi line 1432.
```
Patch is attached.
-- System Information:
Debian Release: trixie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.5.0-3-amd64 (SMP w/8 CPU threads; PREEMPT)
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gitweb depends on:
ii git 1:2.42.0-1
ii libcgi-pm-perl 4.57-1
ii perl 5.36.0-9
Versions of packages gitweb recommends:
ii libhttp-date-perl 6.05-2
ii lynx 2.9.0dev.12-1
ii nginx [httpd] 1.24.0-2
Versions of packages gitweb suggests:
pn git-doc <none>
ii nginx [httpd-cgi] 1.24.0-2
--
.''`. martin f. krafft <madduck@d.o>
: :' : proud Debian developer
`. `'` http://people.debian.org/~madduck
`- Debian - when you have better things to do than fixing systems
--- /tmp/gitweb.cgi 2024-01-08 08:32:37.267888437 +0100
+++ /usr/lib/cgi-bin/gitweb.cgi 2024-01-08 08:34:06.427008372 +0100
@@ -1427,13 +1427,16 @@
$href .= "/".esc_path_info($params{'project'});
delete $params{'project'};
- # since we destructively absorb parameters, we keep this
- # boolean that remembers if we're handling a snapshot
- my $is_snapshot = $params{'action'} eq 'snapshot';
+ # since we destructively absorb parameters, we keep
+ # this boolean that remembers if we're handling a
+ # snapshot (see next conditional)
+ my $is_snapshot = 0;
# Summary just uses the project path URL, any other action is
# added to the URL
if (defined $params{'action'}) {
+ $is_snapshot = $params{'action'} eq 'snapshot';
+
$href .= "/".esc_path_info($params{'action'})
unless $params{'action'} eq 'summary';
delete $params{'action'};
