From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from localhost (fantadrom.bsd.lv [local])
	by fantadrom.bsd.lv (OpenSMTPD) with ESMTPA id 655d8deb
	for <source@mandoc.bsd.lv>;
	Thu, 21 Mar 2019 17:58:53 -0500 (EST)
Date: Thu, 21 Mar 2019 17:58:53 -0500 (EST)
X-Mailinglist: mandoc-source
Reply-To: source@mandoc.bsd.lv
MIME-Version: 1.0
From: schwarze@mandoc.bsd.lv
To: source@mandoc.bsd.lv
Subject: cvsweb: Patch from Peter J.
X-Mailer: activitymail 1.26, http://search.cpan.org/dist/activitymail/
Content-Type: text/plain; charset=utf-8
Message-ID: <e3fc87ef459abbc2@fantadrom.bsd.lv>

Log Message:
-----------
Patch from Peter J. Philipp <pjp at centroid dot eu>
to fix some opportunities for XSS;
triggered by a report from Ezio Paglia

Tags:
----
FreeBSD-cvsweb-2_0-branch

Modified Files:
--------------
    cvsweb:
        cvsweb.cgi

Revision Data
-------------
Index: cvsweb.cgi
===================================================================
RCS file: /home/cvs/mandoc/cvsweb/cvsweb.cgi,v
retrieving revision 3.119.2.14
retrieving revision 3.119.2.15
diff -Lcvsweb.cgi -Lcvsweb.cgi -u -p -r3.119.2.14 -r3.119.2.15
--- cvsweb.cgi
+++ cvsweb.cgi
@@ -989,8 +989,9 @@ if (-d $fullname) {
 	if (scalar %tags || $input{only_with_tag}) {
 		print "<form method=\"get\" action=\"./\">\n";
 		foreach my $var (@stickyvars) {
+			my $tmpvar = htmlquote($input{$var});
 			print
-			    "<input type=\"hidden\" name=\"$var\" value=\"$input{$var}\">\n"
+			    "<input type=\"hidden\" name=\"$var\" value=\"$tmpvar\">\n"
 			    if (defined($input{$var})
 			    && (!defined($DEFAULTVALUE{$var})
 			    || $input{$var} ne $DEFAULTVALUE{$var})
@@ -2612,7 +2613,7 @@ sub printLog($;$) {
 				sprintf(
 					'%s/%s?annotate=%s%s', $scriptname,
 					urlencode($where),     $_,
-					$barequery
+					htmlquote($barequery)
 				)
 			);
 		}
@@ -2625,7 +2626,7 @@ sub printLog($;$) {
 					'[select for diffs]',
 					sprintf(
 						'%s?r1=%s%s', $scriptwhere,
-						$_,           $barequery
+						$_, htmlquote($barequery)
 					)
 				);
 			} else {
@@ -2828,7 +2829,7 @@ sub doLog($) {
 
 	foreach (@stickyvars) {
 		printf('<input type="hidden" name="%s" value="%s">', $_,
-		    $input{$_})
+		    htmlquote($input{$_}))
 		    if (defined($input{$_})
 		    && ((!defined($DEFAULTVALUE{$_})
 		    || $input{$_} ne $DEFAULTVALUE{$_}) && $input{$_} ne ""));
@@ -3267,7 +3268,7 @@ sub clickablePath($$) {
 					join ('', $scriptname,
 					urlencode($wherepath),
 					(!$last || $lastslash ? '/' : ''),
-					$query,
+					htmlquote($query),
 					(!$last || $lastslash ? "#dirlist" : "")
 				));
 			} else {    # do not make a link to the current dir
@@ -3508,6 +3509,7 @@ sub htmlquote($) {
 	# Special Characters; RFC 1866
 	s/&/&amp;/g;
 	s/\"/&quot;/g;
+	s/%22/&quot;/g;
 	s/</&lt;/g;
 	s/>/&gt;/g;
 
--
 To unsubscribe send an email to source+unsubscribe@mandoc.bsd.lv