]> git.vanrenterghem.biz Git - git.ikiwiki.info.git/commitdiff
HTML-escape error messages (CVE-2016-4561)
authorSimon McVittie <smcv@debian.org>
Wed, 4 May 2016 07:46:02 +0000 (08:46 +0100)
committerSimon McVittie <smcv@debian.org>
Sun, 8 May 2016 14:34:23 +0000 (15:34 +0100)
The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012, CVE-2016-4561)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.

IkiWiki.pm
IkiWiki/CGI.pm
debian/changelog

index f68797ae3b962bc7556308fffa0da5d644c46ca3..1433af99b3b8b0a6c9a93dc9ff6edd8ff808674b 100644 (file)
@@ -1481,6 +1481,8 @@ sub preprocess ($$$;$$) {
                                if ($@) {
                                        my $error=$@;
                                        chomp $error;
+                                       eval q{use HTML::Entities};
+                                       $error = encode_entities($error);
                                        $ret="[[!$command <span class=\"error\">".
                                                gettext("Error").": $error"."</span>]]";
                                }
index 5baa6c1798ef02e1f45680daa032da17674fafb0..b6923b54f89e55e0878977fdc906d849baa81e9f 100644 (file)
@@ -460,6 +460,9 @@ sub cgi (;$$) {
 sub cgierror ($) {
        my $message=shift;
 
+       eval q{use HTML::Entities};
+       $message = encode_entities($message);
+
        print "Content-type: text/html\n\n";
        print cgitemplate(undef, gettext("Error"),
                "<p class=\"error\">".gettext("Error").": $message</p>");
index 765edac6e1f9a85d7c3e531050d0c9ed4526c141..919814f2f8f01f7084a700874a19e5dd208c2fdb 100644 (file)
@@ -1,3 +1,10 @@
+ikiwiki (3.20120629.3) UNRELEASED; urgency=medium
+
+  * HTML-escape error messages, in one case avoiding potential cross-site
+    scripting (CVE-2016-4561, OVE-20160505-0012)
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 15:33:51 +0100
+
 ikiwiki (3.20120629.2) wheezy; urgency=medium
 
   [ Joey Hess ]