CVE Request: CGit - Multiple vulnerabilities

Jason A. Donenfeld Jason at
Thu Jan 14 15:21:36 CET 2016

Hi folks,

Krzysztof Katowicz-Kowalewski from ESET, Erik Cabetas from Include
Security, and myself (Jason Donenfeld) from Edge Security, have found
a few vulnerabilities in CGit:

1. Reflected Cross Site Scripting & Header Injection in Mimetype Query
String [Katowicz-Kowalewski]

The ui-blob handler accepted a mimetype as a query string and then
echoed this string verbatim back. A malicious user could provide a
string like:<script>xss</script>

This has been fixed by removing support for the mimetype query string parameter:
And then restricting to only generic mimetypes:
And finally, just in case, setting the IE anti-sniffing header as well
as a restrictive CSP header:

2. Stored Cross Site Scripting & Header Injection in Filename
Parameter [Donenfeld]

A user who has write access to the git repository could create
filenames containing new lines that would result in that filename,
including the newlines, being included in a header, resulting in
header injection and eventually XSS.

This has been fixed by properly escaping filenames in headers:
Additionally, while the redirect for the /about -> /about/ page does
*not* appear to be vulnerable due to mitigating conditions, the
following commit was made to similarly harden potential injections

3. Stored Cross Site Scripting in Git Repo Files [Katowicz-Kowalewski]

A user who has write access to the git repository can add HTML pages
and then serve them with an HTML mimetype. A user could therefore
upload pages with malicious javascript executing in the same origin as
the cgit web site. While this is ordinarily not a problem for
single-use users - and indeed some users rather like being able to
serve html from cgit - sites that allow potentially malicious third
party users may not find this behavior desirable.

This has been fixed by adding a configuration option,
"enable-html-serving", which is by default off:
This flag sets anti-sniffing, CSP, and restricts mimetypes to
non-"application/" (except for application/pdf and
application/octet-stream) and non-"text/" (except for text/plain). If
you have a better idea of what sort of white/black list to use for
this, I am open to suggestions.

4. Integer Overflow resulting in Buffer Overflow [Cabetas]

ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this unsigned int into an int, we
potentially overflow it, resulting in the following bounding check
failing, leading to a buffer overflow.

This has been fixed by this commit:

A new version containing these security fixes will be published shortly.


More information about the CGit mailing list