[aur-dev] [PATCH 1/2] Fix some more XSS vulnerabilities
Escape strings properly using htmlspecialchars(). Seems like we missed these in former cleanups. Fixes FS#28515. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- Based on maint. This is applied to our production environment on sigurd. web/template/header.php | 2 +- web/template/pkg_details.php | 2 +- web/template/stats/updates_table.php | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/web/template/header.php b/web/template/header.php index 8313bb3..578fcb9 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -4,7 +4,7 @@ <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="<?php print "$LANG\" lang=\"$LANG"; ?>"> <head> - <title>AUR (<?php print $LANG; ?>)<?php if ($title != "") { print " - " . $title; } ?></title> + <title>AUR (<?php print htmlspecialchars($LANG); ?>)<?php if ($title != "") { print " - " . htmlspecialchars($title); } ?></title> <link rel='stylesheet' type='text/css' href='css/fonts.css' /> <link rel='stylesheet' type='text/css' href='css/containers.css' /> <link rel='stylesheet' type='text/css' href='css/arch.css' /> diff --git a/web/template/pkg_details.php b/web/template/pkg_details.php index 880a675..046f836 100644 --- a/web/template/pkg_details.php +++ b/web/template/pkg_details.php @@ -69,7 +69,7 @@ $out_of_date_time = ($row["OutOfDateTS"] == 0) ? $msg : gmdate("r", intval($row[ <p> <span class='f2'><?php echo htmlspecialchars($row['Name']) . ' ' . htmlspecialchars($row['Version']) ?></span><br /> - <span class='f3'><a href="<?php echo htmlspecialchars($row['URL'], ENT_QUOTES) . '">' . $row['URL'] ?></a></span><br /> + <span class='f3'><a href="<?php echo htmlspecialchars($row['URL'], ENT_QUOTES) . '">' . htmlspecialchars($row['URL']) ?></a></span><br /> <span class='f3'><?php echo htmlspecialchars($row['Description'], ENT_QUOTES); ?></span> </p> diff --git a/web/template/stats/updates_table.php b/web/template/stats/updates_table.php index a8cdf5a..8da6732 100644 --- a/web/template/stats/updates_table.php +++ b/web/template/stats/updates_table.php @@ -11,7 +11,7 @@ <td class="boxSoft"> <span class="f4"><span class="blue"> <a href="packages.php?ID=<?php print intval($row["ID"]); ?>"> -<?php print $row["Name"] . ' ' . $row["Version"]; ?> +<?php print htmlspecialchars($row["Name"]) . ' ' . htmlspecialchars($row["Version"]); ?> </a></span></span> </td> <td class="boxSoft"> -- 1.7.9.1
Escape each output string using htmlspecialchars(). These aren't exploitable; it's still better to escape them properly. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- Based on maint. This is applied to our production environment on sigurd. web/template/footer.php | 2 +- web/template/header.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/template/footer.php b/web/template/footer.php index 435de5c..0948f68 100644 --- a/web/template/footer.php +++ b/web/template/footer.php @@ -2,7 +2,7 @@ <!-- End of main content --> <?php if ($ver) { - echo "<div class=\"pgbox version\">$ver</div>"; + echo "<div class=\"pgbox version\">" . htmlspecialchars($ver) . "</div>"; } ?> </body> diff --git a/web/template/header.php b/web/template/header.php index 578fcb9..327819e 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -2,7 +2,7 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" - xml:lang="<?php print "$LANG\" lang=\"$LANG"; ?>"> + xml:lang="<?php print htmlspecialchars($LANG) ?>" lang="<?php print htmlspecialchars($LANG) ?>"> <head> <title>AUR (<?php print htmlspecialchars($LANG); ?>)<?php if ($title != "") { print " - " . htmlspecialchars($title); } ?></title> <link rel='stylesheet' type='text/css' href='css/fonts.css' /> @@ -52,8 +52,8 @@ reset($SUPPORTED_LANGS); foreach ($SUPPORTED_LANGS as $lang => $lang_name) { print '<a href="' . htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES) - ."?setlang=$lang\" title=\"$lang_name\">" - . strtolower($lang) . "</a>\n"; + ."?setlang=\"" . htmlspecialchars($lang) . "\" title=\"" . htmlspecialchars($lang_name) . "\">" + . htmlspecialchars(strtolower($lang)) . "</a>\n"; } ?> </div> -- 1.7.9.1
Escape each output string using htmlspecialchars(). These aren't exploitable; it's still better to escape them properly. Signed-off-by: Lukas Fleischer <archlinux@cryptocrack.de> --- * Fix typo. * Add "ENT_QUOTES" where appropriate. web/template/footer.php | 2 +- web/template/header.php | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/web/template/footer.php b/web/template/footer.php index 435de5c..0948f68 100644 --- a/web/template/footer.php +++ b/web/template/footer.php @@ -2,7 +2,7 @@ <!-- End of main content --> <?php if ($ver) { - echo "<div class=\"pgbox version\">$ver</div>"; + echo "<div class=\"pgbox version\">" . htmlspecialchars($ver) . "</div>"; } ?> </body> diff --git a/web/template/header.php b/web/template/header.php index 578fcb9..8749dae 100644 --- a/web/template/header.php +++ b/web/template/header.php @@ -2,7 +2,7 @@ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" - xml:lang="<?php print "$LANG\" lang=\"$LANG"; ?>"> + xml:lang="<?php print htmlspecialchars($LANG, ENT_QUOTES) ?>" lang="<?php print htmlspecialchars($LANG, ENT_QUOTES) ?>"> <head> <title>AUR (<?php print htmlspecialchars($LANG); ?>)<?php if ($title != "") { print " - " . htmlspecialchars($title); } ?></title> <link rel='stylesheet' type='text/css' href='css/fonts.css' /> @@ -52,8 +52,8 @@ reset($SUPPORTED_LANGS); foreach ($SUPPORTED_LANGS as $lang => $lang_name) { print '<a href="' . htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES) - ."?setlang=$lang\" title=\"$lang_name\">" - . strtolower($lang) . "</a>\n"; + ."?setlang=" . htmlspecialchars($lang, ENT_QUOTES) . "\" title=\"" . htmlspecialchars($lang_name, ENT_QUOTES) . "\">" + . htmlspecialchars(strtolower($lang)) . "</a>\n"; } ?> </div> -- 1.7.9.1
participants (1)
-
Lukas Fleischer