X-Git-Url: https://git.tokkee.org/?a=blobdiff_plain;f=gitweb%2Fgitweb.perl;h=bdaa4e9463460a149a5c7f13881e5373257bc4e5;hb=ff6e93fe605b748055267fd325c760d0f32dcf92;hp=99f71b47c2a6b53bb52ce29e96361e7c2acbe19d;hpb=8561b522d756861a41c0c54dfa2f609c7063887a;p=git.git diff --git a/gitweb/gitweb.perl b/gitweb/gitweb.perl index 99f71b47c..bdaa4e946 100755 --- a/gitweb/gitweb.perl +++ b/gitweb/gitweb.perl @@ -132,6 +132,10 @@ our $fallback_encoding = 'latin1'; # - one might want to include '-B' option, e.g. '-B', '-M' our @diff_opts = ('-M'); # taken from git_commit +# Disables features that would allow repository owners to inject script into +# the gitweb domain. +our $prevent_xss = 0; + # information about snapshot formats that gitweb is capable of serving our %known_snapshot_formats = ( # name => { @@ -4494,7 +4498,9 @@ sub git_summary { print "\n"; - if (-s "$projectroot/$project/README.html") { + # If XSS prevention is on, we don't include README.html. + # TODO: Allow a readme in some safe format. + if (!$prevent_xss && -s "$projectroot/$project/README.html") { print "