From: Simon McVittie <smcv@debian.org>
Date: Wed, 4 May 2016 07:46:02 +0000 (+0100)
Subject: HTML-escape error messages (CVE-2016-4561)
X-Git-Tag: debian/3.20120629.2+deb7u2~47
X-Git-Url: http://git.vanrenterghem.biz/git.ikiwiki.info.git/commitdiff_plain/bcfba8cdb50dcaca9faa182955825670efb15852?ds=inline

HTML-escape error messages (CVE-2016-4561)

The instance in cgierror() is a potential cross-site scripting attack,
because an attacker could conceivably cause some module to raise an
exception that includes attacker-supplied HTML in its message, for
example via a crafted filename. (OVE-20160505-0012, CVE-2016-4561)

The instances in preprocess() is just correctness. It is not a
cross-site scripting attack, because an attacker could equally well
write the desired HTML themselves; the sanitize hook is what
protects us from cross-site scripting here.
---

diff --git a/IkiWiki.pm b/IkiWiki.pm
index f68797ae3..1433af99b 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -1481,6 +1481,8 @@ sub preprocess ($$$;$$) {
 				if ($@) {
 					my $error=$@;
 					chomp $error;
+					eval q{use HTML::Entities};
+					$error = encode_entities($error);
 				 	$ret="[[!$command <span class=\"error\">".
 						gettext("Error").": $error"."</span>]]";
 				}
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index 5baa6c179..b6923b54f 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -460,6 +460,9 @@ sub cgi (;$$) {
 sub cgierror ($) {
 	my $message=shift;
 
+	eval q{use HTML::Entities};
+	$message = encode_entities($message);
+
 	print "Content-type: text/html\n\n";
 	print cgitemplate(undef, gettext("Error"),
 		"<p class=\"error\">".gettext("Error").": $message</p>");
diff --git a/debian/changelog b/debian/changelog
index 765edac6e..919814f2f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ikiwiki (3.20120629.3) UNRELEASED; urgency=medium
+
+  * HTML-escape error messages, in one case avoiding potential cross-site
+    scripting (CVE-2016-4561, OVE-20160505-0012)
+
+ -- Simon McVittie <smcv@debian.org>  Sun, 08 May 2016 15:33:51 +0100
+
 ikiwiki (3.20120629.2) wheezy; urgency=medium
 
   [ Joey Hess ]