From: john at keeping.me.uk (John Keeping)
Subject: XSS in cgit
Date: Thu, 14 Jan 2016 11:07:39 +0000 [thread overview]
Message-ID: <20160114110739.GI14056@serenity.lan> (raw)
In-Reply-To: <CAHmME9qM0boQM2iXdeGMJt2qfBtShb-_yjyetW3YZB_5+Dv_EA@mail.gmail.com>
On Thu, Jan 14, 2016 at 12:01:57PM +0100, Jason A. Donenfeld wrote:
> On Thu, Jan 14, 2016 at 11:57 AM, John Keeping <john at keeping.me.uk> wrote:
> > I wonder if we should just drop support for the "mimetype" query
> > parameter and see if anyone complains. In general, I would expect it to
> > be the server's responsibility to decide on the type of its output and
> > allowing the client to override it seems like a problem in general.
>
> Agreed here.
>
> We still have the other issue of git repos containing valid html with
> malicious scripts and whatnot, though. Can we simply kill the feature
> of allowing HTML to be served from cgit? This would indeed fix the
> security issue in the best way. But would folks complain?
Unlike the "mimetype" query parameter, I can see valid usecases for
serving HTML from repositories with CGit (I've even used it myself in
the past), so I expect there will be complaints for that one.
Could we add a config knob for serving HTML and turn if off by default?
That will allow people who trust their repository contents to use this
feature while protecting everyone else.
next prev parent reply other threads:[~2016-01-14 11:07 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-13 16:07 Jason
2016-01-13 19:11 ` normalperson
2016-01-15 11:34 ` Jason
2016-01-15 15:18 ` Jason
[not found] ` <7B8B10EF-8DCA-4115-9D33-4DD56F670BAB@klever.net>
2016-01-16 0:23 ` Jason
2016-01-16 9:38 ` john
2016-01-17 16:23 ` Fwd: " Jason
2016-01-14 10:57 ` john
2016-01-14 11:01 ` Jason
2016-01-14 11:07 ` john [this message]
2016-01-14 11:53 ` mailings
2016-01-14 12:59 ` Jason
2016-01-14 13:35 ` Jason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160114110739.GI14056@serenity.lan \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).