gitweb: escape html in rss title

The title of an RSS feed is generated from many components,
including the filename provided as a query parameter, but we
failed to quote it.  Besides showing the wrong output, this
is a vector for XSS attacks.

Signed-off-by: Jeff King <peff@peff.net>

diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl
index 10ed9e51a5880430f7f109ff83f950a768a7c530..a51a8babeee1ca5388d12a2ec8ba4b417c86e4a3 100755 (executable)
--- a/gitweb/gitweb.perl
+++ b/gitweb/gitweb.perl
@@ -8055,6 +8055,7 @@ sub git_feed {
                $feed_type = 'history';
        }
        $title .= " $feed_type";
+       $title = esc_html($title);
        my $descr = git_get_project_description($project);
        if (defined $descr) {
                $descr = esc_html($descr);

diff --git a/t/t9502-gitweb-standalone-parse-output.sh b/t/t9502-gitweb-standalone-parse-output.sh
index 731e64c3adbd4d887bfa2c96eb060aa890377cfc..3a8e7d3f5aa1dc6a4d13467babd96a293ee1bb6e 100755 (executable)
--- a/t/t9502-gitweb-standalone-parse-output.sh
+++ b/t/t9502-gitweb-standalone-parse-output.sh
@@ -185,5 +185,20 @@ test_expect_success 'forks: project_index lists all projects (incl. forks)' '
        test_cmp expected actual
 '
 
+xss() {
+       echo >&2 "Checking $1..." &&
+       gitweb_run "$1" &&
+       if grep "$TAG" gitweb.body; then
+               echo >&2 "xss: $TAG should have been quoted in output"
+               return 1
+       fi
+       return 0
+}
+
+test_expect_success 'xss checks' '
+       TAG="<magic-xss-tag>" &&
+       xss "a=rss&p=$TAG" &&
+       xss "a=rss&p=foo.git&f=$TAG"
+'
 
 test_done