* cvsweb: Fix the QUERY_STRING parts of the XSS vulnerabilities found by
@ 2019-11-07 21:21 schwarze
0 siblings, 0 replies; only message in thread
From: schwarze @ 2019-11-07 21:21 UTC (permalink / raw)
To: source
Log Message:
-----------
Fix the QUERY_STRING parts of the XSS vulnerabilities found by Ezio Paglia
in a more robust way: do very strict whitelist-based input validation on
the characters occurring in the QUERY_STRING, such that everything
stored in the %input hash table is safe in the first place without
requiring any kind of escaping later. When finding unexpected characters
in the QUERY_STRING, it is safest to simply error out fatal()ly.
Tags:
----
FreeBSD-cvsweb-2_0-branch
Modified Files:
--------------
cvsweb:
cvsweb.cgi
Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 3.119.2.21
retrieving revision 3.119.2.22
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.21 -r3.119.2.22
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -314,10 +314,18 @@ if (defined($query) && $query ne '') {
foreach (split (/&/, $query)) {
y/+/ /;
s/%(..)/sprintf("%c", hex($1))/ge; # unquote %-quoted
- if (/(\S+)=(.*)/) {
- $input{$1} = $2 if ($2 ne "");
+ my ($key, $value) = split /=/;
+ $key =~ /([^a-z_12-])/ and fatal('404 Not Found',
+ 'Invalid character "%s" in query parameter "%s"',
+ $1, $key);
+ if (defined $value) {
+ $value =~ /([^a-zA-Z_01-9.\/-])/ and fatal(
+ '404 Not Found', 'Invalid character "%s"' .
+ 'in the value "%s" of the query parameter "%s"',
+ $1, $value, $key);
+ $input{$key} = $value if $value ne '';
} else {
- $input{$_}++;
+ $input{$key}++;
}
}
}
--
To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-11-07 21:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-07 21:21 cvsweb: Fix the QUERY_STRING parts of the XSS vulnerabilities found by schwarze
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).