Re: [PATCH] gitweb: escape link body in format_ref_marker

2016-08-02 Thread Andreas Brauchli 
On Mon, Aug 1, 2016 at 9:54 PM, Junio C Hamano  wrote:
> Jakub Narębski  writes:
>
>> Good catch!
>>
>> Acked-by: Jakub Narębski 
>
> Sigh; the contents may be good but the patch is unusable as-is
> because of heavy whitespace damage.
>
> I'll fix it up.  Thanks, both.
My apologies for that, it seems that gmail doesn't do tabs.
I resubmitted the PR as #283 on GitHub along with Jakub's Ack and
fixed the typo he pointed out in the commit message

https://github.com/git/git/pull/283

Kind regards
andreas

>
>>> ---
>>>  gitweb/gitweb.perl | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
>>> index 2fddf75..33d701d 100755
>>> --- a/gitweb/gitweb.perl
>>> +++ b/gitweb/gitweb.perl
>>> @@ -2090,7 +2090,7 @@ sub format_ref_marker {
>>> -href => href(
>>> action=>$dest_action,
>>> hash=>$dest
>>> -   )}, $name);
>>> +   )}, esc_html($name));
>>>
>>> $markers .= " >> class=\"".esc_attr($class)."\" title=\"".esc_attr($ref)."\">" .
>>> $link . "";
>>>
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] gitweb: escape link body in format_ref_marker

2016-08-01 Thread Junio C Hamano 
Jakub Narębski  writes:

> Good catch!
>
> Acked-by: Jakub Narębski 

Sigh; the contents may be good but the patch is unusable as-is
because of heavy whitespace damage.

I'll fix it up.  Thanks, both.

>> ---
>>  gitweb/gitweb.perl | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>> 
>> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
>> index 2fddf75..33d701d 100755
>> --- a/gitweb/gitweb.perl
>> +++ b/gitweb/gitweb.perl
>> @@ -2090,7 +2090,7 @@ sub format_ref_marker {
>> -href => href(
>> action=>$dest_action,
>> hash=>$dest
>> -   )}, $name);
>> +   )}, esc_html($name));
>> 
>> $markers .= " > class=\"".esc_attr($class)."\" title=\"".esc_attr($ref)."\">" .
>> $link . "";
>> 
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] gitweb: escape link body in format_ref_marker

2016-07-30 Thread Jakub Narębski 
W dniu 29.07.2016 o 16:49, Andreas Brauchli pisze:
> Fix a case where an html link can be generated from unescaped input
> resulting in invalid strict xhtml or potentially injected code.
> 
> An overview of a repo with a tag "1.0.0&0.0.1" would previously result
> in an unescaped amperstand in the link body.

s/amperstand/ampersand/
^ [ spurious 't' ]

Unescaped ampersand would cause trouble if gitweb output is in XHTML
mode, as some web browsers are strict about validating XML, and do not
display anything (note: this detail is unnecessary in the commit
message).

I guess that "1.0.0&0.0.1" tags are something encountered in real
repositories, while "12" would be just something evil...

> 
> Signed-off-by: Andreas Brauchli 

Good catch!

Acked-by: Jakub Narębski 

> ---
>  gitweb/gitweb.perl | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
> index 2fddf75..33d701d 100755
> --- a/gitweb/gitweb.perl
> +++ b/gitweb/gitweb.perl
> @@ -2090,7 +2090,7 @@ sub format_ref_marker {
> -href => href(
> action=>$dest_action,
> hash=>$dest
> -   )}, $name);
> +   )}, esc_html($name));
> 
> $markers .= "  class=\"".esc_attr($class)."\" title=\"".esc_attr($ref)."\">" .
> $link . "";
> 


--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] gitweb: escape link body in format_ref_marker

2016-07-29 Thread Andreas Brauchli 
Fix a case where an html link can be generated from unescaped input
resulting in invalid strict xhtml or potentially injected code.

An overview of a repo with a tag "1.0.0&0.0.1" would previously result
in an unescaped amperstand in the link body.

Signed-off-by: Andreas Brauchli 
---
 gitweb/gitweb.perl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 2fddf75..33d701d 100755
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -2090,7 +2090,7 @@ sub format_ref_marker {
-href => href(
action=>$dest_action,
hash=>$dest
-   )}, $name);
+   )}, esc_html($name));

$markers .= " " .
$link . "";
-- 
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html