[PATCHv2 2/3] Add ability to authorize viewing a repository
Valentin Haenel
valentin.haenel at gmx.de
Tue Oct 30 10:54:38 CET 2012
* Valentin Haenel <valentin.haenel at gmx.de> [2012-10-29]:
> * Jason A. Donenfeld <Jason at zx2c4.com> [2012-10-28]:
> > On Sat, Oct 27, 2012 at 7:00 PM, Ben Boeckel <mathstuf at gmail.com> wrote:
> > >> + cgit_print_error(fmt("Authorization failed for repo: '%s' and user: '%s'",
> > >> + ctx->repo->name, ctx->env.remote_user));
> >
> > XSS.
>
> Would it be enough to use 'html_txt' from html.c:
>
> http://git.zx2c4.com/cgit/tree/html.c#n92
>
> to prevent this?
After further investigation, I discovered that 'cgit_print_error' does
'html_txt' to do the escaping:
http://git.zx2c4.com/cgit/tree/ui-shared.c#n30'
V-
More information about the CGit
mailing list