[PATCH] Fix potential XSS vulnerability in rename hint

Lukas Fleischer cgit at cryptocrack.de
Fri Jul 22 13:47:19 CEST 2011


The file name displayed in the rename hint should be escaped to avoid
XSS. Note that this vulnerability is only applicable when an attacker
has gained push access to the repository.

Signed-off-by: Lukas Fleischer <cgit at cryptocrack.de>
---
 ui-diff.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ui-diff.c b/ui-diff.c
index 868ceec..d97a801 100644
--- a/ui-diff.c
+++ b/ui-diff.c
@@ -97,10 +97,12 @@ static void print_fileinfo(struct fileinfo *info)
 	htmlf("</td><td class='%s'>", class);
 	cgit_diff_link(info->new_path, NULL, NULL, ctx.qry.head, ctx.qry.sha1,
 		       ctx.qry.sha2, info->new_path, 0);
-	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED)
-		htmlf(" (%s from %s)",
-		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed",
-		      info->old_path);
+	if (info->status == DIFF_STATUS_COPIED || info->status == DIFF_STATUS_RENAMED) {
+		htmlf(" (%s from ",
+		      info->status == DIFF_STATUS_COPIED ? "copied" : "renamed");
+		html_txt(info->old_path);
+		html(")");
+	}
 	html("</td><td class='right'>");
 	if (info->binary) {
 		htmlf("bin</td><td class='graph'>%ld -> %ld bytes",
-- 
1.7.6





More information about the CGit mailing list