calculate
/
gentoo-overlay
7
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7f37280349'
${ noResults }
gentoo-overlay/app-text/info2html/files/info2html-2.0-xss.patch

62 lines
2.2 KiB
Raw Blame History

diff -u info2html-2.0-orig/info2html info2html-2.0/info2html
--- info2html-2.0-orig/info2html 2006-09-01 14:55:13.000000000 +0200
+++ info2html-2.0/info2html 2006-09-01 15:05:41.000000000 +0200
@@ -42,7 +42,7 @@
use CGI;
$ENV{'REQUEST_METHOD'} or
- print "Note: I'm really supposed to be run as a CGI!\n";
+ print "Note: I'm really supposed to be run as a CGI\!\n";
#-- patterns
$NODEBORDER = '\037\014?'; #-- delimiter of an info node
@@ -62,7 +62,7 @@
#---------------------------------------------------------
# Don't reveal where we're looking... --jonh 5/20/97 (and reapplied 5/4/1998)
sub DieFileNotFound{
- local($FileName) = @_;
+ local($FileName) = &XssEscape(@_);
#-- TEXT : error message if a file could not be opened
print <<"EOF";
<html><head><title>Info Files - Error Message</title>
@@ -104,6 +104,28 @@
}
#----------------------------------------------------------
+# XssEscape
+#----------------------------------------------------------
+sub XssEscape {
+ local($Tag) = @_;
+ #-- output escaping is required to protect browser
+ # against `cross site' and `cross frame scripting'
+
+ $Tag =~ s/&/&amp;/gs; # ampersand
+ $Tag =~ s/#/&#35;/gs;
+ $Tag =~ s/;/&#59;/gs;
+ $Tag =~ s/[\000-\037\177-\237]/&iquest;/gs; # "ctrl" codes 0-31 and 127-159
+ $Tag =~ s/</&lt;/gs; # less-than symbol
+ $Tag =~ s/>/&gt;/gs; # greater-than symbol
+ $Tag =~ s/"/&quot;/gs; # double quote
+ $Tag =~ s/\240/&nbsp;/gs; # non-breaking space
+ $Tag =~ s/\255/&shy;/gs; # soft hyphen
+ # the rest is interpreted
+ # as ISO 8859-1
+ $Tag;
+}
+
+#----------------------------------------------------------
# ParsHeaderToken
#----------------------------------------------------------
# Parses the heaer line of an info node for a specific
@@ -493,6 +515,8 @@
#----------------------------------------------------------
sub ReplyNotFoundMessage{
local($FileName,$Tag) = @_;
+ $FileName = &XssEscape($FileName);
+ $Tag = &XssEscape($Tag);
print <<"EOF";
<html><head><title>Info Files - Error Message</title>
$BOTS_STAY_AWAY
Only in info2html-2.0: info2html.orig
Only in info2html-2.0: info2html.rej
Reference in new issue View Git Blame Copy Permalink