Bug#607248: marked as done (gitweb: XSS vulnerability (CVE 2010-3906))

[Debian Bug Tracking System]

Your message dated Sat, 15 Jan 2011 01:54:20 +
with message-id e1pdvlq-0004qf...@franck.debian.org
and subject line Bug#607248: fixed in git-core 1:1.5.6.5-3+lenny3.3
has caused the Debian Bug report #607248,
regarding gitweb: XSS vulnerability (CVE 2010-3906)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
607248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607248
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: gitweb
Version: 1:1.5.0~rc3-1
Severity: serious
Tags: security patch upstream fixed-upstream

Hi,

As the release notes for git 1.7.2.5 explain:

 * gitweb can sometimes be tricked into parrotting a filename argument
   given in a request without properly quoting.

Fixed by v1.6.4.5~1 (gitweb: Introduce esc_attr to escape attributes
of HTML elements, 2010-12-15).  Backport to 1.5.6.5 follows.

-- 8 --
From: Jakub Narebski jna...@gmail.com
Date: Wed, 15 Dec 2010 00:34:01 +0100
Subject: gitweb: Introduce esc_attr to escape attributes of HTML elements

It is needed only to escape attributes of handcrafted HTML elements,
and not those generated using CGI.pm subroutines / methods for HTML
generation.

While at it, add esc_url and esc_html where needed, and prefer to use
CGI.pm HTML generating methods than handcrafted HTML code.  Most of
those are probably unnecessary (could be exploited only by person with
write access to gitweb config, or at least access to the repository).

This fixes CVE-2010-3906

Reported-by: Emanuele Gentili e.gent...@tigersecurity.it
Helped-by: John 'Warthog9' Hawley warth...@kernel.org
Helped-by: Jonathan Nieder jrnie...@gmail.com
Signed-off-by: Jakub Narebski jna...@gmail.com
Signed-off-by: Junio C Hamano gits...@pobox.com
(cherry picked from commit 3017ed62f47ce14a959e2d315c434d4980cf4243)
Signed-off-by: Jonathan Nieder jrnie...@gmail.com
---
 gitweb/gitweb.perl |   35 +--
 1 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index f88ce35..6dc9a6a 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -730,6 +730,13 @@ sub esc_url {
return $str;
 }
 
+# quote unsafe characters in HTML attributes
+sub esc_attr {
+
+   # for XHTML conformance escaping '' to 'quot;' is not enough
+   return esc_html(@_);
+}
+
 # replace invalid utf8 character with SUBSTITUTION sequence
 sub esc_html ($;%) {
my $str = shift;
@@ -1106,7 +1113,7 @@ sub format_ref_marker {
$name = $ref;
}
 
-   $markers .=  span class=\$type\ title=\$ref\ .
+   $markers .=  span class=\.esc_attr($type).\ 
title=\.esc_attr($ref).\ .
esc_html($name) . /span;
}
}
@@ -2517,11 +2524,11 @@ EOF
 # print out each stylesheet that exist
if (defined $stylesheet) {
 #provides backwards capability for those people who define style sheet in a 
config file
-   print 'link rel=stylesheet type=text/css 
href='.$stylesheet.'/'.\n;
+   print 'link rel=stylesheet type=text/css 
href='.esc_url($stylesheet).'/'.\n;
} else {
foreach my $stylesheet (@stylesheets) {
next unless $stylesheet;
-   print 'link rel=stylesheet type=text/css 
href='.$stylesheet.'/'.\n;
+   print 'link rel=stylesheet type=text/css 
href='.esc_url($stylesheet).'/'.\n;
}
}
if (defined $project) {
@@ -2534,7 +2541,7 @@ EOF
my $type = lc($format);
my %link_attr = (
'-rel' = 'alternate',
-   '-title' = $project - $href_params{'-title'} 
- $format feed,
+   '-title' = esc_attr($project - 
$href_params{'-title'} - $format feed),
'-type' = application/$type+xml
);
 
@@ -2561,13 +2568,13 @@ EOF
} else {
printf('link rel=alternate title=%s projects list '.
   'href=%s type=text/plain; charset=utf-8 /'.\n,
-  $site_name, href(project=undef, 
action=project_index));
+  esc_attr($site_name), href(project=undef, 
action=project_index));
printf('link rel=alternate title=%s projects feeds '.
   'href=%s type=text/x-opml /'.\n,
-  $site_name, href(project=undef, action=opml));
+  

Bug#607248: marked as done (gitweb: XSS vulnerability (CVE 2010-3906))

[Debian Bug Tracking System]

Your message dated Thu, 16 Dec 2010 10:02:37 +
with message-id e1ptafv-s2...@franck.debian.org
and subject line Bug#607248: fixed in git 1:1.7.2.3-2.2
has caused the Debian Bug report #607248,
regarding gitweb: XSS vulnerability (CVE 2010-3906)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
607248: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607248
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
---BeginMessage---
Package: gitweb
Version: 1:1.5.0~rc3-1
Severity: serious
Tags: security patch upstream fixed-upstream

Hi,

As the release notes for git 1.7.2.5 explain:

 * gitweb can sometimes be tricked into parrotting a filename argument
   given in a request without properly quoting.

Fixed by v1.6.4.5~1 (gitweb: Introduce esc_attr to escape attributes
of HTML elements, 2010-12-15).  Backport to 1.5.6.5 follows.

-- 8 --
From: Jakub Narebski jna...@gmail.com
Date: Wed, 15 Dec 2010 00:34:01 +0100
Subject: gitweb: Introduce esc_attr to escape attributes of HTML elements

It is needed only to escape attributes of handcrafted HTML elements,
and not those generated using CGI.pm subroutines / methods for HTML
generation.

While at it, add esc_url and esc_html where needed, and prefer to use
CGI.pm HTML generating methods than handcrafted HTML code.  Most of
those are probably unnecessary (could be exploited only by person with
write access to gitweb config, or at least access to the repository).

This fixes CVE-2010-3906

Reported-by: Emanuele Gentili e.gent...@tigersecurity.it
Helped-by: John 'Warthog9' Hawley warth...@kernel.org
Helped-by: Jonathan Nieder jrnie...@gmail.com
Signed-off-by: Jakub Narebski jna...@gmail.com
Signed-off-by: Junio C Hamano gits...@pobox.com
(cherry picked from commit 3017ed62f47ce14a959e2d315c434d4980cf4243)
Signed-off-by: Jonathan Nieder jrnie...@gmail.com
---
 gitweb/gitweb.perl |   35 +--
 1 files changed, 21 insertions(+), 14 deletions(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index f88ce35..6dc9a6a 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -730,6 +730,13 @@ sub esc_url {
return $str;
 }
 
+# quote unsafe characters in HTML attributes
+sub esc_attr {
+
+   # for XHTML conformance escaping '' to 'quot;' is not enough
+   return esc_html(@_);
+}
+
 # replace invalid utf8 character with SUBSTITUTION sequence
 sub esc_html ($;%) {
my $str = shift;
@@ -1106,7 +1113,7 @@ sub format_ref_marker {
$name = $ref;
}
 
-   $markers .=  span class=\$type\ title=\$ref\ .
+   $markers .=  span class=\.esc_attr($type).\ 
title=\.esc_attr($ref).\ .
esc_html($name) . /span;
}
}
@@ -2517,11 +2524,11 @@ EOF
 # print out each stylesheet that exist
if (defined $stylesheet) {
 #provides backwards capability for those people who define style sheet in a 
config file
-   print 'link rel=stylesheet type=text/css 
href='.$stylesheet.'/'.\n;
+   print 'link rel=stylesheet type=text/css 
href='.esc_url($stylesheet).'/'.\n;
} else {
foreach my $stylesheet (@stylesheets) {
next unless $stylesheet;
-   print 'link rel=stylesheet type=text/css 
href='.$stylesheet.'/'.\n;
+   print 'link rel=stylesheet type=text/css 
href='.esc_url($stylesheet).'/'.\n;
}
}
if (defined $project) {
@@ -2534,7 +2541,7 @@ EOF
my $type = lc($format);
my %link_attr = (
'-rel' = 'alternate',
-   '-title' = $project - $href_params{'-title'} 
- $format feed,
+   '-title' = esc_attr($project - 
$href_params{'-title'} - $format feed),
'-type' = application/$type+xml
);
 
@@ -2561,13 +2568,13 @@ EOF
} else {
printf('link rel=alternate title=%s projects list '.
   'href=%s type=text/plain; charset=utf-8 /'.\n,
-  $site_name, href(project=undef, 
action=project_index));
+  esc_attr($site_name), href(project=undef, 
action=project_index));
printf('link rel=alternate title=%s projects feeds '.
   'href=%s type=text/x-opml /'.\n,
-  $site_name, href(project=undef, action=opml));
+