source@mandoc.bsd.lv
 help / color / Atom feed
* cvsweb: Fix the QUERY_STRING parts of the XSS vulnerabilities found by 
@ 2019-11-07 21:21 schwarze
  0 siblings, 0 replies; only message in thread
From: schwarze @ 2019-11-07 21:21 UTC (permalink / raw)
  To: source

Log Message:
-----------
Fix the QUERY_STRING parts of the XSS vulnerabilities found by Ezio Paglia
in a more robust way: do very strict whitelist-based input validation on
the characters occurring in the QUERY_STRING, such that everything  
stored in the %input hash table is safe in the first place without
requiring any kind of escaping later.  When finding unexpected characters
in the QUERY_STRING, it is safest to simply error out fatal()ly.

Tags:
----
FreeBSD-cvsweb-2_0-branch

Modified Files:
--------------
    cvsweb:
        cvsweb.cgi

Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 3.119.2.21
retrieving revision 3.119.2.22
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.21 -r3.119.2.22
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -314,10 +314,18 @@ if (defined($query) && $query ne '') {
 	foreach (split (/&/, $query)) {
 		y/+/ /;
 		s/%(..)/sprintf("%c", hex($1))/ge;    # unquote %-quoted
-		if (/(\S+)=(.*)/) {
-			$input{$1} = $2 if ($2 ne "");
+		my ($key, $value) = split /=/;
+		$key =~ /([^a-z_12-])/ and fatal('404 Not Found',
+		    'Invalid character "%s" in query parameter "%s"',
+		    $1, $key);
+		if (defined $value) {
+			$value =~ /([^a-zA-Z_01-9.\/-])/ and fatal(
+			    '404 Not Found', 'Invalid character "%s"' .
+			    'in the value "%s" of the query parameter "%s"',
+			    $1, $value, $key);
+			$input{$key} = $value if $value ne '';
 		} else {
-			$input{$_}++;
+			$input{$key}++;
 		}
 	}
 }
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-07 21:21 cvsweb: Fix the QUERY_STRING parts of the XSS vulnerabilities found by schwarze

source@mandoc.bsd.lv

Archives are clonable: git clone --mirror http://inbox.vuxu.org/mandoc-source

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://inbox.vuxu.org/vuxu.archive.mandoc.source


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git