diff options
Diffstat (limited to 'www-apps/roundup/files/roundup-1.6.0-xss.patch')
-rw-r--r-- | www-apps/roundup/files/roundup-1.6.0-xss.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/www-apps/roundup/files/roundup-1.6.0-xss.patch b/www-apps/roundup/files/roundup-1.6.0-xss.patch new file mode 100644 index 000000000000..44a607e0c46b --- /dev/null +++ b/www-apps/roundup/files/roundup-1.6.0-xss.patch @@ -0,0 +1,35 @@ +changeset: 5665:ab37c1705dbf +branch: maint-1.6 +parent: 5635:ea35ab75a4c0 +user: John Rouillard <rouilj@ieee.org> +date: Fri Mar 22 18:16:11 2019 -0400 +files: CHANGES.txt frontends/roundup.cgi roundup/cgi/wsgi_handler.py +description: +Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035 + + +diff -r ea35ab75a4c0 -r ab37c1705dbf frontends/roundup.cgi +--- a/frontends/roundup.cgi Thu Mar 07 15:42:21 2019 +0100 ++++ b/frontends/roundup.cgi Fri Mar 22 18:16:11 2019 -0400 +@@ -179,7 +179,7 @@ + request.send_response(404) + request.send_header('Content-Type', 'text/html') + request.end_headers() +- out.write('Not found: %s'%client.path) ++ out.write('Not found: %s'%cgi.escape(client.path)) + + else: + import urllib +diff -r ea35ab75a4c0 -r ab37c1705dbf roundup/cgi/wsgi_handler.py +--- a/roundup/cgi/wsgi_handler.py Thu Mar 07 15:42:21 2019 +0100 ++++ b/roundup/cgi/wsgi_handler.py Fri Mar 22 18:16:11 2019 -0400 +@@ -66,7 +66,7 @@ + client.main() + except roundup.cgi.client.NotFound: + request.start_response([('Content-Type', 'text/html')], 404) +- request.wfile.write('Not found: %s'%client.path) ++ request.wfile.write('Not found: %s'%cgi.escape(client.path)) + + # all body data has been written using wfile + return [] + |