aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimon McVittie <smcv@debian.org>2016-05-04 08:46:02 +0100
committerSimon McVittie <smcv@debian.org>2016-05-05 23:43:17 +0100
commit32ef584dc5abb6ddb9f794f94ea0b2934967bba7 (patch)
tree0610975a5b3b70b785999dc2dd7fa1a4ef53ae30
parent355ba851378a8194fa62db4be97015f0675d34aa (diff)
downloadikiwiki-32ef584dc5abb6ddb9f794f94ea0b2934967bba7.tar
ikiwiki-32ef584dc5abb6ddb9f794f94ea0b2934967bba7.tar.gz
HTML-escape error messages (OVE-20160505-0012)
The instance in cgierror() is a potential cross-site scripting attack, because an attacker could conceivably cause some module to raise an exception that includes attacker-supplied HTML in its message, for example via a crafted filename. (OVE-20160505-0012) The instances in preprocess() is just correctness. It is not a cross-site scripting attack, because an attacker could equally well write the desired HTML themselves; the sanitize hook is what protects us from cross-site scripting here.
-rw-r--r--IkiWiki.pm2
-rw-r--r--IkiWiki/CGI.pm3
2 files changed, 5 insertions, 0 deletions
diff --git a/IkiWiki.pm b/IkiWiki.pm
index 0f27ac419..fa71f4791 100644
--- a/IkiWiki.pm
+++ b/IkiWiki.pm
@@ -1647,6 +1647,8 @@ sub preprocess ($$$;$$) {
if ($@) {
my $error=$@;
chomp $error;
+ eval q{use HTML::Entities};
+ $error = encode_entities($error);
$ret="[[!$command <span class=\"error\">".
gettext("Error").": $error"."</span>]]";
}
diff --git a/IkiWiki/CGI.pm b/IkiWiki/CGI.pm
index cbc2fe8eb..243662386 100644
--- a/IkiWiki/CGI.pm
+++ b/IkiWiki/CGI.pm
@@ -488,6 +488,9 @@ sub cgi (;$$) {
sub cgierror ($) {
my $message=shift;
+ eval q{use HTML::Entities};
+ $message = encode_entities($message);
+
print "Content-type: text/html\n\n";
print cgitemplate(undef, gettext("Error"),
"<p class=\"error\">".gettext("Error").": $message</p>");