HTML-escape error messages (OVE-20160505-0012)
The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a crafted filename. (OVE-20160505-0012) The instances in preprocess() is just correctness. It is not a cross-site scripting attack, because an attacker could equally well write the desired HTML themselves; the sanitize hook is what protects us from cross-site scripting here.master
Simon McVittie
parent
355ba85137
commit
32ef584dc5
|
|
@ -1647,6 +1647,8 @@ sub preprocess ($$$;$$) {
|
|||
if ($@) {
|
||||
my $error=$@;
|
||||
chomp $error;
|
||||
eval q{use HTML::Entities};
|
||||
$error = encode_entities($error);
|
||||
$ret="[[!$command <span class=\"error\">".
|
||||
gettext("Error").": $error"."</span>]]";
|
||||
}
|
||||
|
|
|
|||
|
|
@ -488,6 +488,9 @@ sub cgi (;$$) {
|
|||
sub cgierror ($) {
|
||||
my $message=shift;
|
||||
|
||||
eval q{use HTML::Entities};
|
||||
$message = encode_entities($message);
|
||||
|
||||
print "Content-type: text/html\n\n";
|
||||
print cgitemplate(undef, gettext("Error"),
|
||||
"<p class=\"error\">".gettext("Error").": $message</p>");
|
||||
|
|
|
|||
Loading…
Reference in New Issue