From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from localhost (mandoc.bsd.lv [local]) by mandoc.bsd.lv (OpenSMTPD) with ESMTPA id 52467263 for ; Thu, 7 Nov 2019 16:21:14 -0500 (EST) Date: Thu, 7 Nov 2019 16:21:14 -0500 (EST) X-Mailinglist: mandoc-source Reply-To: source@mandoc.bsd.lv MIME-Version: 1.0 From: schwarze@mandoc.bsd.lv To: source@mandoc.bsd.lv Subject: cvsweb: Fix the QUERY_STRING parts of the XSS vulnerabilities found by X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/ Content-Type: text/plain; charset=utf-8 Message-ID: <8d0763676884d3df@mandoc.bsd.lv> Log Message: ----------- Fix the QUERY_STRING parts of the XSS vulnerabilities found by Ezio Paglia in a more robust way: do very strict whitelist-based input validation on the characters occurring in the QUERY_STRING, such that everything stored in the %input hash table is safe in the first place without requiring any kind of escaping later. When finding unexpected characters in the QUERY_STRING, it is safest to simply error out fatal()ly. Tags: ---- FreeBSD-cvsweb-2_0-branch Modified Files: -------------- cvsweb: cvsweb.cgi Revision Data ------------- Index: cvsweb.cgi =================================================================== RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v retrieving revision 3.119.2.21 retrieving revision 3.119.2.22 diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.21 -r3.119.2.22 --- cvsweb.cgi +++ cvsweb.cgi @@ -314,10 +314,18 @@ if (defined($query) && $query ne '') { foreach (split (/&/, $query)) { y/+/ /; s/%(..)/sprintf("%c", hex($1))/ge; # unquote %-quoted - if (/(\S+)=(.*)/) { - $input{$1} = $2 if ($2 ne ""); + my ($key, $value) = split /=/; + $key =~ /([^a-z_12-])/ and fatal('404 Not Found', + 'Invalid character "%s" in query parameter "%s"', + $1, $key); + if (defined $value) { + $value =~ /([^a-zA-Z_01-9.\/-])/ and fatal( + '404 Not Found', 'Invalid character "%s"' . + 'in the value "%s" of the query parameter "%s"', + $1, $value, $key); + $input{$key} = $value if $value ne ''; } else { - $input{$_}++; + $input{$key}++; } } } -- To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv