From a26eb1e0747bd1a3fca04a7aea603232b9793375 Mon Sep 17 00:00:00 2001 From: Axel Beckert Date: Thu, 2 Oct 2008 01:05:34 +0000 Subject: [PATCH] Minimal version of Kevin's patch against CVE-2008-2236 (no additional variable $esc_flavour since $flavour should never contain any HTML code and therefore the distinction between escaped and unescaped is not necessary and doesn't make it necessary to change any templates. (We only can change ours.) --- blosxom.cgi | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/blosxom.cgi b/blosxom.cgi index eae39bf..44edf47 100755 --- a/blosxom.cgi +++ b/blosxom.cgi @@ -2,7 +2,7 @@ # Blosxom # Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008) -# Version: 2.1.1 ($Id: blosxom.cgi,v 1.83 2008/07/30 22:27:02 xtaran Exp $) +# Version: 2.1.1 ($Id: blosxom.cgi,v 1.84 2008/10/02 01:05:34 xtaran Exp $) # Home/Docs/Licensing: http://blosxom.sourceforge.net/ # Development/Downloads: http://sourceforge.net/projects/blosxom @@ -214,6 +214,23 @@ if (! ($flavour = param('flav'))) { } $flavour ||= $default_flavour; +# Fix XSS in flavour name (CVE-2008-2236) +$flavour = blosxom_html_escape($flavour); + +sub blosxom_html_escape { + my $string = shift; + my %escape = ( + '<' => '<', + '>' => '>', + '&' => '&', + '"' => '"', + "'" => ''' + ); + my $escape_re = join '|' => keys %escape; + $string =~ s/($escape_re)/$escape{$1}/g; + $string; +} + # Global variable to be used in head/foot.{flavour} templates $path_info = ''; # Add all @path_info elements to $path_info till we come to one that could be a year -- 2.30.2