On Tue, Sep 2, 2025 at 3:11 PM Taylor Blau <me@xxxxxxxxxxxx> wrote:
> When running Gitweb and loading a blobdiff with the "hpb" ("hash parent
> base") query parameter set to a valid diff-tree option, say,
> "--output=/tmp/pwned", Gitweb will faithfully execute "diff-tree"
> internally (via "sub git_blobdiff") and blindly pass in the "hpb" query
> parameter.
>
> In other words, visiting a URL like:
>
> http://127.0.0.1:1234/?p=<PROJECT_NAME>;a=blobdiff;f=*;hpb=--output=/tmp/pwned;hb=HEAD
>
> will result in the file "/tmp/pwned" being created. This happens as a
> result of gitweb executing something like:
>
> git diff-tree -r -M --output=/tmp/pwned HEAD --
>
> , where "--output=/tmp/pwned" is substituted in as the value of
> "$hash_parent_base".
>
> There are various other spots in Gitweb which are too eager to pass
> untrusted query parameter values as command-line arguments, leading to
> at least the above option-injection attack, and likely many others.
>
> Since 51b4594b40 (parse-options: allow --end-of-options as a synonym for
> "--", 2019-08-06), we have the "--end-of-options" command-line flag as
> a standard mechanism to indicate that any further argument should not be
> interpreted as command-line options.
>
> Guard agains this and other option-injection attacks by placing the
> "--end-of-options" flag before any untrusted user-input in any place
> that gitweb spawns Git as a sub-process.
s/agains/against/
> Reported-by: Moritz Sanft <moritz.sanft@xxxxxxxxxx>
> Signed-off-by: Taylor Blau <me@xxxxxxxxxxxx>
