#5172 NORM Never A: Gitweb fails to html-escape "owner" data that it pulls from a user's GECOS field.
Zarro Boogs per Child
bugtracker at laptop.org
Wed Nov 28 19:01:44 EST 2007
#5172: Gitweb fails to html-escape "owner" data that it pulls from a user's GECOS
field.
----------------------------+-----------------------------------------------
Reporter: mstone | Owner: krstic
Type: defect | Status: new
Priority: normal | Milestone: Never Assigned
Component: infrastructure | Version:
Keywords: | Verified: 0
----------------------------+-----------------------------------------------
If you make a user whose GECOS entry contains an email address (e.g. "Joe
Schmoe <joe at schmoe.com>"), gitweb will fail to escape the email address
and will produce invalid XML.
The naive solution of calling esc_html($owner) at appropriate points in
the code (around lines 3040 and 3400 of our already-patched gitweb.cgi)
fails because the $owner variable contains wide chars and the esc_html
function does not deal with wide chars.
--
Ticket URL: <http://dev.laptop.org/ticket/5172>
One Laptop Per Child <http://dev.laptop.org>
OLPC bug tracking system
More information about the Bugs
mailing list