From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jason at zx2c4.com (Jason A. Donenfeld)
Date: Sun, 17 Jan 2016 17:23:24 +0100
Subject: Fwd: XSS in cgit
In-Reply-To: <7B8B10EF-8DCA-4115-9D33-4DD56F670BAB@klever.net>
References: <CAHmME9pf_TjMHYiNuqC4fF5i69w+ntV+Rgv_Tt5c2Y7MnCtgKA@mail.gmail.com>
 <20160113191100.GA1660@dcvr.yhbt.net>
 <CAHmME9qJA5q_n2-+mRsh6tqNdXtRd5e_28JFFQF4RTKjKHjaxQ@mail.gmail.com>
 <CAHmME9odymyXwoAT2qtuvVciEAdGLK44bzyumRf+yPWaVnJkZQ@mail.gmail.com>
 <7B8B10EF-8DCA-4115-9D33-4DD56F670BAB@klever.net>
Message-ID: <CAHmME9rwqziqmxrPL+UiwpG++xW1gd+a8XS3=kFJyXQkKKXqEQ@mail.gmail.com>

---------- Forwarded message ----------
From: Michael Krelin <hacker at klever.net>
Date: Fri, Jan 15, 2016 at 7:17 PM
Subject: Re: XSS in cgit
To: "Jason A. Donenfeld" <Jason at zx2c4.com>
Cc: "cgit at lists.zx2c4.com" <cgit at lists.zx2c4.com>



Hey,

I can?t remember all the details (2008!), but the main idea was to
feed the URL directly to something that would process it according to
the content type header. In particular, I believe I linked xml files
using xinclude from another xml processed by xsltproc and generating
some html. And maybe linked some pictures too. It?s been a while since
I?ve done that though I think I still use that setup (haven?t updated
cgit there for a while tho).

That is not to say you?ve done me wrong by removing the feature, I?m
not in the position to judge without diving deeper into background of
the change ;-)

Love,
H