gitweb: escape html in rss title

peff · peff · commit 0f0ecf68b313 · 2012-11-12T16:34:53.000-05:00
The title of an RSS feed is generated from many components,
including the filename provided as a query parameter, but we
failed to quote it.  Besides showing the wrong output, this
is a vector for XSS attacks.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
@@ -8055,6 +8055,7 @@ sub git_feed {
 		$feed_type = 'history';
 	}
 	$title .= " $feed_type";
+	$title = esc_html($title);
 	my $descr = git_get_project_description($project);
 	if (defined $descr) {
 		$descr = esc_html($descr);
diff --git a/t/t9502-gitweb-standalone-parse-output.sh b/t/t9502-gitweb-standalone-parse-output.sh
@@ -185,5 +185,20 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' '
 	test_cmp expected actual
 '
 
+xss() {
+	echo >&2 "Checking $1..." &&
+	gitweb_run "$1" &&
+	if grep "$TAG" gitweb.body; then
+		echo >&2 "xss: $TAG should have been quoted in output"
+		return 1
+	fi
+	return 0
+}
+
+test_expect_success 'xss checks' '
+	TAG="<magic-xss-tag>" &&
+	xss "a=rss&p=$TAG" &&
+	xss "a=rss&p=foo.git&f=$TAG"
+'
 
 test_done

Original file line number	Diff line number	Diff line change
`@@ -8055,6 +8055,7 @@ sub git_feed {`
`8055`	`8055`	`$feed_type = 'history';`
`8056`	`8056`	`}`
`8057`	`8057`	`$title .= " $feed_type";`
	`8058`	`+ $title = esc_html($title);`
`8058`	`8059`	`my $descr = git_get_project_description($project);`
`8059`	`8060`	`if (defined $descr) {`
`8060`	`8061`	`$descr = esc_html($descr);`