From: cjwatson <> Date: Sat, 7 Jan 2006 00:35:01 +0000 (-0800) Subject: [project @ 2006-01-06 16:35:01 by cjwatson] X-Git-Tag: release/2.6.0~631 X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=e0d57fbfd632c71dfd679ae949773ecbcbc5553f;p=debbugs.git [project @ 2006-01-06 16:35:01 by cjwatson] - Add a number of extra htmlsanit() calls to prevent cross-site scripting attacks. --- diff --git a/cgi/pkgreport.cgi b/cgi/pkgreport.cgi index 38a2e581..4dbd04dc 100755 --- a/cgi/pkgreport.cgi +++ b/cgi/pkgreport.cgi @@ -360,6 +360,7 @@ if (defined $pkg) { return grep(exists $tags{$_}, @tags); })}; } +$title = htmlsanit($title); my @names; my @prior; my @title; my @order; determine_ordering(); @@ -381,7 +382,7 @@ print "

" . "$debbugs::gProject$Archived $debbugs::gBug report logs: $title" my $showresult = 1; if (defined $pkg || defined $src) { - my $showpkg = (defined $pkg) ? $pkg : "source package $src"; + my $showpkg = htmlsanit((defined $pkg) ? $pkg : "source package $src"); my %maintainers = %{getmaintainers()}; my $maint = $pkg ? $maintainers{$pkg} : $maintainers{$src} ? $maintainers{$src} : undef; if (defined $maint) { @@ -485,20 +486,22 @@ print ""; print " " . pkg_htmlselectsuite(1,2,1) . " for " . pkg_htmlselectarch(1,2,2) . "\n"; if (defined $pkg) { - my $v = $version || ""; + my $v = htmlsanit($version) || ""; + my $pkgsane = htmlsanit($pkg); print ""; - print " $pkg version \n"; + print " $pkgsane version \n"; } elsif (defined $src) { - my $v = $version || ""; + my $v = htmlsanit($version) || ""; + my $srcsane = htmlsanit($src); print ""; - print " $src version \n"; + print " $srcsane version \n"; } print " \n"; -my $includetags = join(" ", grep { !m/^subj:/i } split /[\s,]+/, $include); -my $excludetags = join(" ", grep { !m/^subj:/i } split /[\s,]+/, $exclude); -my $includesubj = join(" ", map { s/^subj://i; $_ } grep { m/^subj:/i } split /[\s,]+/, $include); -my $excludesubj = join(" ", map { s/^subj://i; $_ } grep { m/^subj:/i } split /[\s,]+/, $exclude); +my $includetags = htmlsanit(join(" ", grep { !m/^subj:/i } split /[\s,]+/, $include)); +my $excludetags = htmlsanit(join(" ", grep { !m/^subj:/i } split /[\s,]+/, $exclude)); +my $includesubj = htmlsanit(join(" ", map { s/^subj://i; $_ } grep { m/^subj:/i } split /[\s,]+/, $include)); +my $excludesubj = htmlsanit(join(" ", map { s/^subj://i; $_ } grep { m/^subj:/i } split /[\s,]+/, $exclude)); my $vismindays = ($mindays == 0 ? "" : $mindays); my $vismaxdays = ($maxdays == -1 ? "" : $maxdays); @@ -744,6 +747,7 @@ sub pkg_htmlizebugs { $title .= join("; ", grep {($_ || "") ne ""} map { $title[$_]->[$ttl[$_]] } 1..$#ttl); } + $title = htmlsanit($title); my $count = $count{"_$order"}; my $bugs = $count == 1 ? "bug" : "bugs"; diff --git a/debian/changelog b/debian/changelog index dbd791a5..1d872b6a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -26,6 +26,8 @@ debbugs (2.4.2) UNRELEASED; urgency=low - Decode RFC1522 mail headers for display in the web interface. bugreport.cgi and pkgreport.cgi now output UTF-8. - Properly support multiple submitter addresses on a single bug. + - Add a number of extra htmlsanit() calls to prevent cross-site + scripting attacks. * Adam Heath: - Rewrite filtering in cgi's common.pl, to make it completely generic.