From: Axel Beckert Date: Thu, 2 Oct 2008 01:05:34 +0000 (+0000) Subject: Minimal version of Kevin's patch against CVE-2008-2236 (no additional variable $esc_f... X-Git-Tag: v2_1_2~3 X-Git-Url: https://git.stderr.nl/gitweb?p=matthijs%2Fupstream%2Fblosxom.git;a=commitdiff_plain;h=a26eb1e0747bd1a3fca04a7aea603232b9793375;hp=1f57e9bf90671bd2c3291bbc0bdfeb52fb999ace Minimal version of Kevin's patch against CVE-2008-2236 (no additional variable $esc_flavour since $flavour should never contain any HTML code and therefore the distinction between escaped and unescaped is not necessary and doesn't make it necessary to change any templates. (We only can change ours.) --- diff --git a/blosxom.cgi b/blosxom.cgi index eae39bf..44edf47 100755 --- a/blosxom.cgi +++ b/blosxom.cgi @@ -2,7 +2,7 @@ # Blosxom # Author: Rael Dornfest (2002-2003), The Blosxom Development Team (2005-2008) -# Version: 2.1.1 ($Id: blosxom.cgi,v 1.83 2008/07/30 22:27:02 xtaran Exp $) +# Version: 2.1.1 ($Id: blosxom.cgi,v 1.84 2008/10/02 01:05:34 xtaran Exp $) # Home/Docs/Licensing: http://blosxom.sourceforge.net/ # Development/Downloads: http://sourceforge.net/projects/blosxom @@ -214,6 +214,23 @@ if (! ($flavour = param('flav'))) { } $flavour ||= $default_flavour; +# Fix XSS in flavour name (CVE-2008-2236) +$flavour = blosxom_html_escape($flavour); + +sub blosxom_html_escape { + my $string = shift; + my %escape = ( + '<' => '<', + '>' => '>', + '&' => '&', + '"' => '"', + "'" => ''' + ); + my $escape_re = join '|' => keys %escape; + $string =~ s/($escape_re)/$escape{$1}/g; + $string; +} + # Global variable to be used in head/foot.{flavour} templates $path_info = ''; # Add all @path_info elements to $path_info till we come to one that could be a year