Askar Safin wrote: > Bob Proulx wrote: > > Hello Askar, > > I cannot reproduce this anymore. > > I noticed strange links 5 Sep 19:25 UTC at > https://git.savannah.gnu.org/cgit/ . In Chromium 121.0.6167.160 with > lots of extensions installed (but most of them are authored by me, and > I don't think they damaged the page).
Very strange indeed! > But now (6 Sep 8:28 UTC) I don't see strange links. In the same browser I hate problems that come and go without any meaningful reason. > Let's look again at the original strange URL. If we do URL-decode, we > will get this: > === > https://git.savannah.gnu.org/cgit/akfquiz.git/plain/srcbin/', > ScriptName, grIcon > '/cygbuild.git/tree/achatina.git/akfavatar.git/auctex.git/log/3dldf.git/8sync.git/tree/3dldf.git/tree/woodchuck.git/tree/guix/dhcp.git/rcs.git/tree/elisp-es.git/ > === > This looks like SQL-injection or similar. Or maybe some mishandling of > strings. I suggest searching for "ScriptName, grIcon" in your > codebase. The cgit tool does not use an SQL database. I know you say "like" meaning similar to and not a hard "that's it" but it can't be specifically that since there is no database. It's displaying files on disk and there is no session or other storage. Our codebase is the stock cgit Trisquel OS distribution compiled package. Which in this case is passed through verbatim from the Ubuntu OS software distribution compiled package. We make no modifications to the source code. It's the same files that are used widely by other sites also running a cgit service. It's not impossible to imagine that there is a bug in the code base but if so then the problem is shared widely among everyone. Out of curiousity and it being easy to do I cloned the cgit source code to get a local sandbox of it and grep'd through it. There is no mention of either "ScriptName" or "grIcon" anywhere in it. Bob
