On Tue, Nov 13, 2012 at 6:04 PM, Jeff King wrote:
> On Tue, Nov 13, 2012 at 09:44:06AM -0500, Drew Northup wrote:
>> Besides, inserting one call to esc_html only fixes one attack path. I
>> didn't look to see if all others were already covered.
>
> Properly quoting output is something that the we
On Tue, Nov 13, 2012 at 09:44:06AM -0500, Drew Northup wrote:
> I don't buy the argument that we don't need to clean up the input as
> well. There are scant few of us that are going to name a file
> "alert("Something Awful")" in this world (I am
> probably one of them). Input validation is key to
On Tue, Nov 13, 2012 at 4:45 PM, Kevin wrote:
> The problem with input filtering is that you can only filter for one
> output scenario. What if the the input is going to be output in a wiki
> like environment, or to pdf, or whatever? Then you have to unescape
> the data again, and maybe apply filt
The problem with input filtering is that you can only filter for one
output scenario. What if the the input is going to be output in a wiki
like environment, or to pdf, or whatever? Then you have to unescape
the data again, and maybe apply filtering/escaping for those
environments.
You only know h
On Tue, Nov 13, 2012 at 3:44 PM, Drew Northup wrote:
> On Mon, Nov 12, 2012 at 3:24 PM, Jeff King wrote:
>> On Mon, Nov 12, 2012 at 01:55:46PM -0500, Drew Northup wrote:
>>> + # No XSS inclusions
>>> + if ($input =~ m!()(.*)()!){
>>> + return undef;
>>> + }
>> T
On Mon, Nov 12, 2012 at 3:24 PM, Jeff King wrote:
> On Mon, Nov 12, 2012 at 01:55:46PM -0500, Drew Northup wrote:
>
>> On Sun, Nov 11, 2012 at 6:28 PM, glpk xypron wrote:
>> > Gitweb can be used to generate an RSS feed.
>> >
>> > Arbitrary tags can be inserted into the XML document describing
>>
Drew Northup writes:
> Something like this may be useful to defuse the "file" parameter, but
> I presume a more definitive fix is in order...
A proper fix will have to add esc_html to the feed generation, something
like this (untested):
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index
On Mon, Nov 12, 2012 at 10:13:27PM +0100, Jakub Narębski wrote:
> > Yeah, that looks correct, given the way how the other variables
> > emitted with the same "print" like $descr and $owner are formed.
>
> It looks like good solution to me too.
>
> Nb. the problems with feed are mainly because it
On Mon, Nov 12, 2012 at 9:36 PM, Junio C Hamano wrote:
> Jeff King writes:
>> On Mon, Nov 12, 2012 at 03:24:13PM -0500, Jeff King wrote:
>>
>>> I think the right answer is going to be a well-placed call to esc_html.
>>
>> I'm guessing the right answer is this:
>>
>> diff --git a/gitweb/gitweb.per
Jeff King writes:
> On Mon, Nov 12, 2012 at 03:24:13PM -0500, Jeff King wrote:
>
>> I think the right answer is going to be a well-placed call to esc_html.
>
> I'm guessing the right answer is this:
>
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 10ed9e5..a51a8ba 100755
> --- a/g
On Mon, Nov 12, 2012 at 03:24:13PM -0500, Jeff King wrote:
> I think the right answer is going to be a well-placed call to esc_html.
I'm guessing the right answer is this:
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 10ed9e5..a51a8ba 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/git
On Mon, Nov 12, 2012 at 01:55:46PM -0500, Drew Northup wrote:
> On Sun, Nov 11, 2012 at 6:28 PM, glpk xypron wrote:
> > Gitweb can be used to generate an RSS feed.
> >
> > Arbitrary tags can be inserted into the XML document describing
> > the RSS feed by careful construction of the URL.
> [...]
12 matches
Mail list logo