From bcfba8cdb50dcaca9faa182955825670efb15852 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Wed, 4 May 2016 08:46:02 +0100 Subject: [PATCH] HTML-escape error messages (CVE-2016-4561) The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a crafted filename. (OVE-20160505-0012, CVE-2016-4561) The instances in preprocess() is just correctness. It is not a cross-site scripting attack, because an attacker could equally well write the desired HTML themselves; the sanitize hook is what protects us from cross-site scripting here. --- IkiWiki.pm | 2 ++ IkiWiki/CGI.pm | 3 +++ debian/changelog | 7 +++++++ 3 files changed, 12 insertions(+) diff --git a/IkiWiki.pm b/IkiWiki.pm index f68797ae3..1433af99b 100644 --- a/IkiWiki.pm +++ b/IkiWiki.pm @@ -1481,6 +1481,8 @@ sub preprocess ($$$;$$) { if ($@) { my $error=$@; chomp $error; + eval q{use HTML::Entities}; + $error = encode_entities($error); $ret="[[!$command ". gettext("Error").": $error"."]]"; } diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm index 5baa6c179..b6923b54f 100644 --- a/IkiWiki/CGI.pm +++ b/IkiWiki/CGI.pm @@ -460,6 +460,9 @@ sub cgi (;$$) { sub cgierror ($) { my $message=shift; + eval q{use HTML::Entities}; + $message = encode_entities($message); + print "Content-type: text/html\n\n"; print cgitemplate(undef, gettext("Error"), "

".gettext("Error").": $message

"); diff --git a/debian/changelog b/debian/changelog index 765edac6e..919814f2f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +ikiwiki (3.20120629.3) UNRELEASED; urgency=medium + + * HTML-escape error messages, in one case avoiding potential cross-site + scripting (CVE-2016-4561, OVE-20160505-0012) + + -- Simon McVittie Sun, 08 May 2016 15:33:51 +0100 + ikiwiki (3.20120629.2) wheezy; urgency=medium [ Joey Hess ] -- 2.39.5