XSS in cgit

John Keeping john at keeping.me.uk
Thu Jan 14 12:07:39 CET 2016

On Thu, Jan 14, 2016 at 12:01:57PM +0100, Jason A. Donenfeld wrote:
> On Thu, Jan 14, 2016 at 11:57 AM, John Keeping <john at keeping.me.uk> wrote:
> > I wonder if we should just drop support for the "mimetype" query
> > parameter and see if anyone complains.  In general, I would expect it to
> > be the server's responsibility to decide on the type of its output and
> > allowing the client to override it seems like a problem in general.
> Agreed here.
> We still have the other issue of git repos containing valid html with
> malicious scripts and whatnot, though. Can we simply kill the feature
> of allowing HTML to be served from cgit? This would indeed fix the
> security issue in the best way. But would folks complain?

Unlike the "mimetype" query parameter, I can see valid usecases for
serving HTML from repositories with CGit (I've even used it myself in
the past), so I expect there will be complaints for that one.

Could we add a config knob for serving HTML and turn if off by default?
That will allow people who trust their repository contents to use this
feature while protecting everyone else.

More information about the CGit mailing list