XSS in cgit

Jason A. Donenfeld Jason at zx2c4.com
Thu Jan 14 12:01:57 CET 2016


On Thu, Jan 14, 2016 at 11:57 AM, John Keeping <john at keeping.me.uk> wrote:
> I wonder if we should just drop support for the "mimetype" query
> parameter and see if anyone complains.  In general, I would expect it to
> be the server's responsibility to decide on the type of its output and
> allowing the client to override it seems like a problem in general.

Agreed here.

We still have the other issue of git repos containing valid html with
malicious scripts and whatnot, though. Can we simply kill the feature
of allowing HTML to be served from cgit? This would indeed fix the
security issue in the best way. But would folks complain?


More information about the CGit mailing list