From: schwarze@mandoc.bsd.lv
To: source@mandoc.bsd.lv
Subject: cvsweb: similar to rev.
Date: Sat, 9 Nov 2019 05:06:53 -0500 (EST) [thread overview]
Message-ID: <8d0768f7403cd608@mandoc.bsd.lv> (raw)
Log Message:
-----------
similar to rev. 3.119.2.22:
Fix the QUERY_STRING parts of the XSS vulnerabilities found by Ezio Paglia
in a more robust way: do very strict whitelist-based input validation on
the characters occurring in the QUERY_STRING, such that everything
stored in the %input hash table is safe in the first place without
requiring any kind of escaping later. When finding unexpected characters
in the QUERY_STRING, it is safest to simply error out fatal()ly.
Modified Files:
--------------
cvsweb:
cvsweb.cgi
Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 4.8
retrieving revision 4.9
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r4.8 -r4.9
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -358,9 +358,17 @@ if (defined($ENV{QUERY_STRING})) {
$p =~ y/+/ /;
my ($key, $val) = split(/=/, $p, 2);
next unless defined($key);
- $val = 1 unless defined($val);
- ($key = uri_unescape($key)) =~ /[[:graph:]]/ or next;
- ($val = uri_unescape($val)) =~ /[[:graph:]]/ or next;
+ $key = uri_unescape($key);
+ $key =~ /([^a-z_12-])/ and fatal('404 Not Found',
+ 'Invalid character "%s" in query parameter "%s"', $1, $key);
+ if (defined $val) {
+ $val = uri_unescape($val);
+ $val =~ /([^a-zA-Z_01-9.\/-])/ and fatal('404 Not Found',
+ 'Invalid character "%s" in the value "%s" of the query parameter "%s"',
+ $1, $value, $key);
+ } else {
+ $val = 1;
+ }
$query{$key} = $val;
}
}
--
To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv
next reply other threads:[~2019-11-09 10:06 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-09 10:06 schwarze [this message]
-- strict thread matches above, loose matches on Subject: below --
2019-11-09 9:41 schwarze
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8d0768f7403cd608@mandoc.bsd.lv \
--to=schwarze@mandoc.bsd.lv \
--cc=source@mandoc.bsd.lv \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).