Fwd: XSS in cgit

Jason A. Donenfeld Jason at zx2c4.com
Sun Jan 17 17:23:24 CET 2016


---------- Forwarded message ----------
From: Michael Krelin <hacker at klever.net>
Date: Fri, Jan 15, 2016 at 7:17 PM
Subject: Re: XSS in cgit
To: "Jason A. Donenfeld" <Jason at zx2c4.com>
Cc: "cgit at lists.zx2c4.com" <cgit at lists.zx2c4.com>



Hey,

I can’t remember all the details (2008!), but the main idea was to
feed the URL directly to something that would process it according to
the content type header. In particular, I believe I linked xml files
using xinclude from another xml processed by xsltproc and generating
some html. And maybe linked some pictures too. It’s been a while since
I’ve done that though I think I still use that setup (haven’t updated
cgit there for a while tho).

That is not to say you’ve done me wrong by removing the feature, I’m
not in the position to judge without diving deeper into background of
the change ;-)

Love,
H


More information about the CGit mailing list