Proposed fixes for potential XSS issues in xapian-omega

To: debian-release@lists.debian.org
Subject: Proposed fixes for potential XSS issues in xapian-omega
From: Olly Betts <olly@survex.com>
Date: Thu, 15 Sep 2011 01:51:30 +1200
Message-id: <[🔎] 20110914135130.GA6153@cavity>

I've discussed these with the security team, and they decided it was most
appropriate to handle them via a stable update.  I've attached a debdiff
showing the changes I'm proposing.

Most of it is hopefully clear enough, but I think a couple of things
may need explanation:

* I'd like to remove a poorly thought out feature (the HILITECLASS CGI
  parameter) which is hard to fix to prevent XSS attacks without breaking
  potential uses.  It has never been documented, and I can find no
  indication that anyone actually uses it, so my preference is just to
  remove it.  It is gone from newer upstream releases without any
  complaints from users.

* The $add{} change is just a cheap trick to eliminate any non-numeric
  values (they'll become 0).

All these changes have been in upstream releases since 1.2.5 (released
2011-04-04) with no reports of any issues.

Cheers,
    Olly

diff -Nru xapian-omega-1.2.3/debian/changelog xapian-omega-1.2.3/debian/changelog
--- xapian-omega-1.2.3/debian/changelog	2010-08-24 21:11:59.000000000 +1200
+++ xapian-omega-1.2.3/debian/changelog	2011-09-15 01:24:23.000000000 +1200
@@ -1,3 +1,11 @@
+xapian-omega (1.2.3-1+squeeze1) stable; urgency=low
+
+  * Fix escaping issues in templates: godmode, opensearch, query, xml.
+    + Undocumented and apparently unused CGI parameter HILITECLASS is
+      no longer supported by the xml template.
+
+ -- Olly Betts <olly@survex.com>  Wed, 14 Sep 2011 13:12:44 +0000
+
 xapian-omega (1.2.3-1) unstable; urgency=low
 
   * New upstream release.
diff -Nru xapian-omega-1.2.3/debian/patches/fix-escaping-issues-in-templates.patch xapian-omega-1.2.3/debian/patches/fix-escaping-issues-in-templates.patch
--- xapian-omega-1.2.3/debian/patches/fix-escaping-issues-in-templates.patch	1970-01-01 12:00:00.000000000 +1200
+++ xapian-omega-1.2.3/debian/patches/fix-escaping-issues-in-templates.patch	2011-09-15 01:26:37.000000000 +1200
@@ -0,0 +1,134 @@
+Description: Fix escaping issues in templates
+Author: Olly Betts <olly@survex.com>
+
+---
+
+Origin: upstream
+Forwarded: not-needed
+
+--- xapian-omega-1.2.3.orig/templates/query
++++ xapian-omega-1.2.3/templates/query
+@@ -60,7 +60,7 @@ $if{$opt{topterms},
+  </div>
+ }
+ <br>
+-$if{$suggestion,Did you mean: <a href="$html{$or{$env{SCRIPT_NAME},omega}}?DB=$url{$dbname}&P=$url{$suggestion}$if{$ne{$hitsperpage,10},&HITSPERPAGE=$hitsperpage}$if{$fmt,&FMT=$html{$fmt}}$if{$cgi{COLLAPSE},&COLLAPSE=$cgi{COLLAPSE}}$map{$relevants,&R=$_}$if{$cgi{THRESHOLD},&THRESHOLD=$html{$cgi{THRESHOLD}}"}$map{$cgilist{B},&B=$html{$_}}&SPELL=0">$html{$suggestion}</a><br>}
++$if{$suggestion,Did you mean: <a href="$html{$or{$env{SCRIPT_NAME},omega}?DB=$url{$dbname}&P=$url{$suggestion}$if{$ne{$hitsperpage,10},&HITSPERPAGE=$hitsperpage}$if{$fmt,&FMT=$url{$fmt}}$if{$cgi{COLLAPSE},&COLLAPSE=$url{$cgi{COLLAPSE}}}$map{$relevants,&R=$_}$if{$cgi{THRESHOLD},&THRESHOLD=$url{$cgi{THRESHOLD}}"}$map{$cgilist{B},&B=$url{$_}}&SPELL=0}">$html{$suggestion}</a><br>}
+ $or{$html{$error},
+ $if{$eq{$msize,0},
+ $if{$query,No documents match your query,
+@@ -84,7 +84,7 @@ ${<IMG SRC="/icons/omega/score-$div{$per
+ </div></div>
+ <div style='float:left;margin-top:2px;font-size:x-small;'>
+ $if{$and{$field{modtime},$ne{$field{modtime},-1}},
+-<script type="text/javascript">write_date($field{modtime});</script>
++<script type="text/javascript">write_date($add{$field{modtime}});</script>
+ <noscript>
+ <span title="$html{$date{$field{modtime},%Y-%m-%d %H:%M:%S}}">
+ Modified:<br><b>$html{$date{$field{modtime},%Y-%m-%d}}</b></span>
+@@ -97,9 +97,9 @@ $if{$field{size},<span title="$html{$fie
+ </div>
+ </div>
+ </td>
+-<td><B><A HREF="$field{url}">$html{$or{$field{caption},$field{title},$field{url},Untitled}}</A></B><BR>
++<td><B><A HREF="$html{$field{url}}">$html{$or{$field{caption},$field{title},$field{url},Untitled}}</A></B><BR>
+ <small>$highlight{$field{sample},$terms}$if{$field{sample},...}</small><br>
+-<A HREF="$field{url}">$html{$field{url}}</A><br>
++<A HREF="$html{$field{url}}">$html{$field{url}}</A><br>
+ <small>
+ $percentage% relevant$. matching:
+ <i>$list{$map{$terms,$html{$prettyterm{$_}}},$. ,</i> and <i>}</i></small>${for lynx:}<p></td></tr>}
+--- xapian-omega-1.2.3.orig/templates/opensearch
++++ xapian-omega-1.2.3/templates/opensearch
+@@ -2,7 +2,7 @@ $httpheader{Content-Type,application/xml
+   <rss version="2.0" xmlns:openSearch="http://a9.com/-/spec/opensearchrss/1.0/";>
+     <channel>
+       <title>Xapian search results</title>
+-      <link>$html{$env{SCRIPT_NAME}?DB=$dbname&P=$query}</link>
++      <link>$html{$env{SCRIPT_NAME}?DB=$url{$dbname}&P=$url{$query}}</link>
+       <description>Search results for "$html{$query}" at xapian.org</description>
+       <language>en</language>
+       <copyright>(C)2005, Xapian.org</copyright>
+--- xapian-omega-1.2.3.orig/templates/godmode
++++ xapian-omega-1.2.3/templates/godmode
+@@ -2,18 +2,18 @@ $set{thousand,$.}$set{decimal,.}<html>
+ <head>
+ <title>Omega:
+ $if{$cgi{ID},
+-Document #$cgi{ID},
++Document #$html{$cgi{ID}},
+ $if{$ne{$msize,0},
+ Term "$html{$cgi{B}}",
+ Choose what to Inspect}}
+ </title>
+ </head>
+ <body bgcolor=white>
+-<form METHOD=GET ACTION="$env{SCRIPT_NAME}">
++<form METHOD=GET ACTION="$html{$env{SCRIPT_NAME}}">
+ 
+ $if{$cgi{ID},
+ $setrelevant{$cgi{ID}}
+-<H1>Document #$cgi{ID}</H1>
++<H1>Document #$html{$cgi{ID}}</H1>
+     
+ <H2>Terms indexing this document</H2>
+ 
+@@ -21,7 +21,7 @@ $setrelevant{$cgi{ID}}
+ <tr><th>Frequency</th><th align=left>Term</th></tr>
+ $map{$allterms{$cgi{ID}},
+ <tr><td align=right>$freq{$_}</td>
+-<td><A HREF="$env{SCRIPT_NAME}?$if{$dbname,DB=$url{$dbname}&}FMT=$url{$fmt}&B=$url{$_}">$html{$_}</A></td></tr>}
++<td><A HREF="$html{$env{SCRIPT_NAME}?$if{$dbname,DB=$url{$dbname}&}FMT=$url{$fmt}&B=$url{$_}}">$html{$_}</A></td></tr>}
+ </table>
+ 
+ <H2>Document Data</H2>
+@@ -50,11 +50,11 @@ $if{$not{$msizeexact},
+ <hr>
+ <table>
+ $hitlist{<TR>
+-<td align=right><A HREF="$env{SCRIPT_NAME}?$if{$dbname,DB=$url{$dbname}&}FMT=$url{$fmt}&ID=$id">#$id</A>&nbsp;</td>
++<td align=right><A HREF="$html{$env{SCRIPT_NAME}?$if{$dbname,DB=$url{$dbname}&}FMT=$url{$fmt}&ID=$id}">#$id</A>&nbsp;</td>
+ <TD><B><small>$html{$date{$field{modtime},%Y-%m-%d %H:%M}}</small>
+-<A HREF="$field{url}">$html{$or{$field{caption},$field{title},$field{url},Untitled}}</A></B><BR>
++<A HREF="$html{$field{url}}">$html{$or{$field{caption},$field{title},$field{url},Untitled}}</A></B><BR>
+ <small>$highlight{$field{sample},$terms}$if{$field{sample},...}</small><br>
+-<A HREF="$field{url}">$html{$field{url}}</A><br>
++<A HREF="$html{$field{url}}">$html{$field{url}}</A><br>
+ <hr></TD></TR>}
+ </table>
+ ${suppress next, prev, and page links if there's only one page}
+@@ -82,7 +82,7 @@ $NEXT
+ }
+ }}
+ $if{$or{$error,$and{$not{$cgi{ID}},$eq{$msize,0}}},
+-$if{$error,</form><div style="border:dotted;border-width:1px;padding:.5em;margin:.5em;background-color:yellow">$html{$error}</div><form METHOD=GET ACTION="$env{SCRIPT_NAME}">}
++$if{$error,</form><div style="border:dotted;border-width:1px;padding:.5em;margin:.5em;background-color:yellow">$html{$error}</div><form METHOD=GET ACTION="$html{$env{SCRIPT_NAME}}">}
+ Inspect document # <INPUT NAME=ID SIZE=10>
+ <INPUT TYPE=SUBMIT VALUE="Inspect">
+ <hr>
+--- xapian-omega-1.2.3.orig/templates/xml
++++ xapian-omega-1.2.3/templates/xml
+@@ -19,20 +19,20 @@ $map{$queryterms,<queryterm term="$html{
+ </queryterms>
+ <hits>
+ $hitlist{
+-<hit id="$id" relevance="$percentage%" modtime="$field{modtime}"
++<hit id="$id" relevance="$percentage%" modtime="$html{$field{modtime}}"
+ url="$html{$field{url}}" title="$html{$field{title}}"
+ $if{$field{language},language="$field{language}",}
+ $if{$field{size},size="$html{$field{size}}",}
+ $if{$field{sitename},sitename="$html{$field{sitename}}",}
+ score="$html{$score}"
+ sample="$html{$htmlstrip{$field{sample}}}"
+-example="$html{$highlight{$htmlstrip{$field{sample}},$terms,<strong $cgi{HILITECLASS}>}}"
++example="$html{$highlight{$htmlstrip{$field{sample}},$terms,<strong>}}"
+ $if{$ne{$collapsed,0}, collapsecount="$html{$collapsed}" collapsegroup="$html{$value{$cgi{COLLAPSE}}}"}
+ ><keywords>
+ $map{$field{keywords},<keyword keyword="$html{$_}" />}
+ </keywords>
+ <terms>
+-$map{$html{$terms},<term term="$html{$_}" show="$html{$prettyterm{$_}}" />}
++$map{$terms,<term term="$html{$_}" show="$html{$prettyterm{$_}}" />}
+ </terms>
+ </hit>
+ }
diff -Nru xapian-omega-1.2.3/debian/patches/series xapian-omega-1.2.3/debian/patches/series
--- xapian-omega-1.2.3/debian/patches/series	1970-01-01 12:00:00.000000000 +1200
+++ xapian-omega-1.2.3/debian/patches/series	2011-09-15 01:24:54.000000000 +1200
@@ -0,0 +1 @@
+fix-escaping-issues-in-templates.patch

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Proposed fixes for potential XSS issues in xapian-omega
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Upcoming Point Releases
Next by Date: Bug#637664: Re: Bug#637664: pu: package tzdata/2011h-0squeeze1
Previous by thread: Re: release goal proposal: enable hardening build flags
Next by thread: Re: Proposed fixes for potential XSS issues in xapian-omega
Index(es):
- Date
- Thread