I've discussed these with the security team, and they decided it was most appropriate to handle them via a stable update. I've attached a debdiff showing the changes I'm proposing. Most of it is hopefully clear enough, but I think a couple of things may need explanation: * I'd like to remove a poorly thought out feature (the HILITECLASS CGI parameter) which is hard to fix to prevent XSS attacks without breaking potential uses. It has never been documented, and I can find no indication that anyone actually uses it, so my preference is just to remove it. It is gone from newer upstream releases without any complaints from users. * The $add{} change is just a cheap trick to eliminate any non-numeric values (they'll become 0). All these changes have been in upstream releases since 1.2.5 (released 2011-04-04) with no reports of any issues. Cheers, Olly
diff -Nru xapian-omega-1.2.3/debian/changelog xapian-omega-1.2.3/debian/changelog --- xapian-omega-1.2.3/debian/changelog 2010-08-24 21:11:59.000000000 +1200 +++ xapian-omega-1.2.3/debian/changelog 2011-09-15 01:24:23.000000000 +1200 @@ -1,3 +1,11 @@ +xapian-omega (1.2.3-1+squeeze1) stable; urgency=low + + * Fix escaping issues in templates: godmode, opensearch, query, xml. + + Undocumented and apparently unused CGI parameter HILITECLASS is + no longer supported by the xml template. + + -- Olly Betts <olly@survex.com> Wed, 14 Sep 2011 13:12:44 +0000 + xapian-omega (1.2.3-1) unstable; urgency=low * New upstream release. diff -Nru xapian-omega-1.2.3/debian/patches/fix-escaping-issues-in-templates.patch xapian-omega-1.2.3/debian/patches/fix-escaping-issues-in-templates.patch --- xapian-omega-1.2.3/debian/patches/fix-escaping-issues-in-templates.patch 1970-01-01 12:00:00.000000000 +1200 +++ xapian-omega-1.2.3/debian/patches/fix-escaping-issues-in-templates.patch 2011-09-15 01:26:37.000000000 +1200 @@ -0,0 +1,134 @@ +Description: Fix escaping issues in templates +Author: Olly Betts <olly@survex.com> + +--- + +Origin: upstream +Forwarded: not-needed + +--- xapian-omega-1.2.3.orig/templates/query ++++ xapian-omega-1.2.3/templates/query +@@ -60,7 +60,7 @@ $if{$opt{topterms}, + </div> + } + <br> +-$if{$suggestion,Did you mean: <a href="$html{$or{$env{SCRIPT_NAME},omega}}?DB=$url{$dbname}&P=$url{$suggestion}$if{$ne{$hitsperpage,10},&HITSPERPAGE=$hitsperpage}$if{$fmt,&FMT=$html{$fmt}}$if{$cgi{COLLAPSE},&COLLAPSE=$cgi{COLLAPSE}}$map{$relevants,&R=$_}$if{$cgi{THRESHOLD},&THRESHOLD=$html{$cgi{THRESHOLD}}"}$map{$cgilist{B},&B=$html{$_}}&SPELL=0">$html{$suggestion}</a><br>} ++$if{$suggestion,Did you mean: <a href="$html{$or{$env{SCRIPT_NAME},omega}?DB=$url{$dbname}&P=$url{$suggestion}$if{$ne{$hitsperpage,10},&HITSPERPAGE=$hitsperpage}$if{$fmt,&FMT=$url{$fmt}}$if{$cgi{COLLAPSE},&COLLAPSE=$url{$cgi{COLLAPSE}}}$map{$relevants,&R=$_}$if{$cgi{THRESHOLD},&THRESHOLD=$url{$cgi{THRESHOLD}}"}$map{$cgilist{B},&B=$url{$_}}&SPELL=0}">$html{$suggestion}</a><br>} + $or{$html{$error}, + $if{$eq{$msize,0}, + $if{$query,No documents match your query, +@@ -84,7 +84,7 @@ ${<IMG SRC="/icons/omega/score-$div{$per + </div></div> + <div style='float:left;margin-top:2px;font-size:x-small;'> + $if{$and{$field{modtime},$ne{$field{modtime},-1}}, +-<script type="text/javascript">write_date($field{modtime});</script> ++<script type="text/javascript">write_date($add{$field{modtime}});</script> + <noscript> + <span title="$html{$date{$field{modtime},%Y-%m-%d %H:%M:%S}}"> + Modified:<br><b>$html{$date{$field{modtime},%Y-%m-%d}}</b></span> +@@ -97,9 +97,9 @@ $if{$field{size},<span title="$html{$fie + </div> + </div> + </td> +-<td><B><A HREF="$field{url}">$html{$or{$field{caption},$field{title},$field{url},Untitled}}</A></B><BR> ++<td><B><A HREF="$html{$field{url}}">$html{$or{$field{caption},$field{title},$field{url},Untitled}}</A></B><BR> + <small>$highlight{$field{sample},$terms}$if{$field{sample},...}</small><br> +-<A HREF="$field{url}">$html{$field{url}}</A><br> ++<A HREF="$html{$field{url}}">$html{$field{url}}</A><br> + <small> + $percentage% relevant$. matching: + <i>$list{$map{$terms,$html{$prettyterm{$_}}},$. ,</i> and <i>}</i></small>${for lynx:}<p></td></tr>} +--- xapian-omega-1.2.3.orig/templates/opensearch ++++ xapian-omega-1.2.3/templates/opensearch +@@ -2,7 +2,7 @@ $httpheader{Content-Type,application/xml + <rss version="2.0" xmlns:openSearch="http://a9.com/-/spec/opensearchrss/1.0/"> + <channel> + <title>Xapian search results</title> +- <link>$html{$env{SCRIPT_NAME}?DB=$dbname&P=$query}</link> ++ <link>$html{$env{SCRIPT_NAME}?DB=$url{$dbname}&P=$url{$query}}</link> + <description>Search results for "$html{$query}" at xapian.org</description> + <language>en</language> + <copyright>(C)2005, Xapian.org</copyright> +--- xapian-omega-1.2.3.orig/templates/godmode ++++ xapian-omega-1.2.3/templates/godmode +@@ -2,18 +2,18 @@ $set{thousand,$.}$set{decimal,.}<html> + <head> + <title>Omega: + $if{$cgi{ID}, +-Document #$cgi{ID}, ++Document #$html{$cgi{ID}}, + $if{$ne{$msize,0}, + Term "$html{$cgi{B}}", + Choose what to Inspect}} + </title> + </head> + <body bgcolor=white> +-<form METHOD=GET ACTION="$env{SCRIPT_NAME}"> ++<form METHOD=GET ACTION="$html{$env{SCRIPT_NAME}}"> + + $if{$cgi{ID}, + $setrelevant{$cgi{ID}} +-<H1>Document #$cgi{ID}</H1> ++<H1>Document #$html{$cgi{ID}}</H1> + + <H2>Terms indexing this document</H2> + +@@ -21,7 +21,7 @@ $setrelevant{$cgi{ID}} + <tr><th>Frequency</th><th align=left>Term</th></tr> + $map{$allterms{$cgi{ID}}, + <tr><td align=right>$freq{$_}</td> +-<td><A HREF="$env{SCRIPT_NAME}?$if{$dbname,DB=$url{$dbname}&}FMT=$url{$fmt}&B=$url{$_}">$html{$_}</A></td></tr>} ++<td><A HREF="$html{$env{SCRIPT_NAME}?$if{$dbname,DB=$url{$dbname}&}FMT=$url{$fmt}&B=$url{$_}}">$html{$_}</A></td></tr>} + </table> + + <H2>Document Data</H2> +@@ -50,11 +50,11 @@ $if{$not{$msizeexact}, + <hr> + <table> + $hitlist{<TR> +-<td align=right><A HREF="$env{SCRIPT_NAME}?$if{$dbname,DB=$url{$dbname}&}FMT=$url{$fmt}&ID=$id">#$id</A> </td> ++<td align=right><A HREF="$html{$env{SCRIPT_NAME}?$if{$dbname,DB=$url{$dbname}&}FMT=$url{$fmt}&ID=$id}">#$id</A> </td> + <TD><B><small>$html{$date{$field{modtime},%Y-%m-%d %H:%M}}</small> +-<A HREF="$field{url}">$html{$or{$field{caption},$field{title},$field{url},Untitled}}</A></B><BR> ++<A HREF="$html{$field{url}}">$html{$or{$field{caption},$field{title},$field{url},Untitled}}</A></B><BR> + <small>$highlight{$field{sample},$terms}$if{$field{sample},...}</small><br> +-<A HREF="$field{url}">$html{$field{url}}</A><br> ++<A HREF="$html{$field{url}}">$html{$field{url}}</A><br> + <hr></TD></TR>} + </table> + ${suppress next, prev, and page links if there's only one page} +@@ -82,7 +82,7 @@ $NEXT + } + }} + $if{$or{$error,$and{$not{$cgi{ID}},$eq{$msize,0}}}, +-$if{$error,</form><div style="border:dotted;border-width:1px;padding:.5em;margin:.5em;background-color:yellow">$html{$error}</div><form METHOD=GET ACTION="$env{SCRIPT_NAME}">} ++$if{$error,</form><div style="border:dotted;border-width:1px;padding:.5em;margin:.5em;background-color:yellow">$html{$error}</div><form METHOD=GET ACTION="$html{$env{SCRIPT_NAME}}">} + Inspect document # <INPUT NAME=ID SIZE=10> + <INPUT TYPE=SUBMIT VALUE="Inspect"> + <hr> +--- xapian-omega-1.2.3.orig/templates/xml ++++ xapian-omega-1.2.3/templates/xml +@@ -19,20 +19,20 @@ $map{$queryterms,<queryterm term="$html{ + </queryterms> + <hits> + $hitlist{ +-<hit id="$id" relevance="$percentage%" modtime="$field{modtime}" ++<hit id="$id" relevance="$percentage%" modtime="$html{$field{modtime}}" + url="$html{$field{url}}" title="$html{$field{title}}" + $if{$field{language},language="$field{language}",} + $if{$field{size},size="$html{$field{size}}",} + $if{$field{sitename},sitename="$html{$field{sitename}}",} + score="$html{$score}" + sample="$html{$htmlstrip{$field{sample}}}" +-example="$html{$highlight{$htmlstrip{$field{sample}},$terms,<strong $cgi{HILITECLASS}>}}" ++example="$html{$highlight{$htmlstrip{$field{sample}},$terms,<strong>}}" + $if{$ne{$collapsed,0}, collapsecount="$html{$collapsed}" collapsegroup="$html{$value{$cgi{COLLAPSE}}}"} + ><keywords> + $map{$field{keywords},<keyword keyword="$html{$_}" />} + </keywords> + <terms> +-$map{$html{$terms},<term term="$html{$_}" show="$html{$prettyterm{$_}}" />} ++$map{$terms,<term term="$html{$_}" show="$html{$prettyterm{$_}}" />} + </terms> + </hit> + } diff -Nru xapian-omega-1.2.3/debian/patches/series xapian-omega-1.2.3/debian/patches/series --- xapian-omega-1.2.3/debian/patches/series 1970-01-01 12:00:00.000000000 +1200 +++ xapian-omega-1.2.3/debian/patches/series 2011-09-15 01:24:54.000000000 +1200 @@ -0,0 +1 @@ +fix-escaping-issues-in-templates.patch
Attachment:
signature.asc
Description: Digital signature