From: <gi...@ma...> - 2009-12-01 01:03:24
|
The branch, master-1.2.x has been updated via d36359cf13c41e0889f31eb82c46a49fdd368a03 (commit) from ff7f362f1408933c160927725781dcabd895984f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit d36359cf13c41e0889f31eb82c46a49fdd368a03 Author: David Hicks <hic...@op...> Date: Tue Dec 1 11:56:46 2009 +1100 Fix #11229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. ----------------------------------------------------------------------- Summary of changes: core/filter_api.php | 6 +++--- core/print_api.php | 2 +- tag_update_page.php | 11 +++++++---- tag_view_page.php | 4 ++-- 4 files changed, 13 insertions(+), 10 deletions(-) ----------------------------------------------------------------------- commit d36359cf13c41e0889f31eb82c46a49fdd368a03 Author: David Hicks <hic...@op...> Date: Tue Dec 1 11:56:46 2009 +1100 Fix #11229: Fix tagging XSS scripting vulnerabilities Tag names and descriptions were not properly sanitised before being written to HTML output. This meant that it was possible for users to create tags containing Javascript that is executed on every load of view_all_bug_page (and elsewhere) for all users. Thanks to Michel Arboi from Tenable Network Security (Nessus) for reporting this issue. diff --git a/core/filter_api.php b/core/filter_api.php index 0b29057..c19835d 100644 --- a/core/filter_api.php +++ b/core/filter_api.php @@ -2939,8 +2939,8 @@ function filter_draw_selection_area2( $p_page_number, $p_for_screen = true, $p_e $t_tag_string .= ( is_blank( $t_tag_string ) ? '' : config_get( 'tag_separator' ) ); $t_tag_string .= tag_get_field( $t_filter[FILTER_PROPERTY_TAG_SELECT], 'name' ); } - echo $t_tag_string; - echo '<input type="hidden" name="', FILTER_PROPERTY_TAG_STRING, '" value="', $t_tag_string, '" />'; + echo string_html_entities( $t_tag_string ); + echo '<input type="hidden" name="', FILTER_PROPERTY_TAG_STRING, '" value="', string_attribute( $t_tag_string ), '" />'; ?> </td> </tr> @@ -3900,7 +3900,7 @@ function print_filter_tag_string() { } ?> <input type="hidden" id="tag_separator" value="<?php echo config_get( 'tag_separator' )?>" /> - <input type="text" name="<?php echo FILTER_PROPERTY_TAG_STRING;?>" id="<?php echo FILTER_PROPERTY_TAG_STRING;?>" size="40" value="<?php echo $t_tag_string?>" /> + <input type="text" name="<?php echo FILTER_PROPERTY_TAG_STRING;?>" id="<?php echo FILTER_PROPERTY_TAG_STRING;?>" size="40" value="<?php echo string_attribute( $t_tag_string )?>" /> <select <?php echo helper_get_tab_index()?> name="<?php echo FILTER_PROPERTY_TAG_SELECT;?>" id="<?php echo FILTER_PROPERTY_TAG_SELECT;?>"> <?php print_tag_option_list();?> </select> diff --git a/core/print_api.php b/core/print_api.php index 37ae895..f34f695 100644 --- a/core/print_api.php +++ b/core/print_api.php @@ -317,7 +317,7 @@ function print_tag_option_list( $p_bug_id = 0 ) { if ( !empty( $row['description'] ) ) { $t_string .= ' - ' . utf8_substr( $row['description'], 0, 20 ); } - echo '<option value="', $row['id'], '" title="', $row['name'], '">', $t_string, '</option>'; + echo '<option value="', $row['id'], '" title="', string_html_entities( $row['name'] ), '">', string_html_entities( $t_string ), '</option>'; } } diff --git a/tag_update_page.php b/tag_update_page.php index c9c8416..6023523 100644 --- a/tag_update_page.php +++ b/tag_update_page.php @@ -38,6 +38,9 @@ $f_tag_id = gpc_get_int( 'tag_id' ); $t_tag_row = tag_get( $f_tag_id ); + $t_name = string_display_line( $t_tag_row['name'] ); + $t_description = string_display( $t_tag_row['description'] ); + if ( !( access_has_global_level( config_get( 'tag_edit_threshold' ) ) || ( auth_get_current_user_id() == $t_tag_row['user_id'] ) && access_has_global_level( config_get( 'tag_edit_own_threshold' ) ) ) ) @@ -45,7 +48,7 @@ access_denied(); } - html_page_top( sprintf( lang_get( 'tag_update' ), $t_tag_row['name'] ) ); + html_page_top( sprintf( lang_get( 'tag_update' ), $t_name ) ); ?> <br/> @@ -56,7 +59,7 @@ <!-- Title --> <tr> <td class="form-title" colspan="2"> - <?php echo sprintf( lang_get( 'tag_update' ), $t_tag_row['name'] ) ?> + <?php echo sprintf( lang_get( 'tag_update' ), $t_name ) ?> <input type="hidden" name="tag_id" value="<?php echo $f_tag_id ?>"/> </td> <td class="right" colspan="3"> @@ -75,7 +78,7 @@ <tr <?php echo helper_alternate_class() ?>> <td><?php echo $t_tag_row['id'] ?></td> - <td><input type="text" <?php echo helper_get_tab_index() ?> name="name" value="<?php echo $t_tag_row['name'] ?>"/></td> + <td><input type="text" <?php echo helper_get_tab_index() ?> name="name" value="<?php echo $t_name ?>"/></td> <td><?php if ( access_has_global_level( config_get( 'tag_edit_threshold' ) ) ) { if ( ON == config_get( 'use_javascript' ) ) { @@ -103,7 +106,7 @@ <tr <?php echo helper_alternate_class() ?>> <td class="category"><?php echo lang_get( 'tag_description' ) ?></td> <td colspan="4"> - <textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo string_textarea( $t_tag_row['description'] ) ?></textarea> + <textarea name="description" <?php echo helper_get_tab_index() ?> cols="80" rows="6"><?php echo string_textarea( $t_description ) ?></textarea> </td> </tr> diff --git a/tag_view_page.php b/tag_view_page.php index 335622a..d947af6 100644 --- a/tag_view_page.php +++ b/tag_view_page.php @@ -38,7 +38,7 @@ $t_name = string_display_line( $t_tag_row['name'] ); $t_description = string_display( $t_tag_row['description'] ); - html_page_top( sprintf( lang_get( 'tag_details' ), $t_tag_row['name'] ) ); + html_page_top( sprintf( lang_get( 'tag_details' ), $t_name ) ); ?> <br/> @@ -47,7 +47,7 @@ <!-- Title --> <tr> <td class="form-title" colspan="2"> - <?php echo sprintf( lang_get( 'tag_details' ), $t_tag_row['name'] ) ?> + <?php echo sprintf( lang_get( 'tag_details' ), $t_name ) ?> </td> <td class="right" colspan="3"> ----------------------------------------------------------------------- -- Mantis Bug Tracker |