From: Simon McVittie Date: Wed, 4 May 2016 07:46:02 +0000 (+0100) Subject: HTML-escape error messages (OVE-20160505-0012) X-Git-Tag: debian/3.20141016.3~16 X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/3a72fd87c7214a508b67ac8dc3567a427240c9c8 HTML-escape error messages (OVE-20160505-0012) The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a crafted filename. (OVE-20160505-0012) The instances in preprocess() is just correctness. It is not a cross-site scripting attack, because an attacker could equally well write the desired HTML themselves; the sanitize hook is what protects us from cross-site scripting here. --- diff --git a/IkiWiki.pm b/IkiWiki.pm index 1043ef402..b55078af0 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -1570,6 +1570,8 @@ sub preprocess ($$$;$$) { if ($@) { my $error=$@; chomp $error; + eval q{use HTML::Entities}; + $error = encode_entities($error); $ret="[[!$command ". gettext("Error").": $error"."]]"; } diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index f448db6ef..a6c0c2712 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -491,6 +491,9 @@ sub cgi (;$$) { sub cgierror ($) { my $message=shift; + eval q{use HTML::Entities}; + $message = encode_entities($message); + print "Content-type: text/html\n\n"; print cgitemplate(undef, gettext("Error"), "

".gettext("Error").": $message

");