Bug#764199: UDD: XSS in bts-usertags-cgi

To: 764199@bugs.debian.org
Subject: Bug#764199: UDD: XSS in bts-usertags-cgi
From: Simon Kainz <skainz@debian.org>
Date: Tue, 27 Jan 2015 14:12:01 +0100
Message-id: <[🔎] 54C78EA1.2090600@debian.org>
Reply-to: Simon Kainz <skainz@debian.org>, 764199@bugs.debian.org

tag 767584 + patch
thanks

Hello,

please see the attached (rather trivial) patch.

I looked up [1] which seemed the appropriate fix for this issue. My
Python-Foo is not very strong, so please eventually take a closer look
if this is the right fix.

Bye,

Simon





[1] https://docs.python.org/2/library/cgi.html

>From 7af4b228a3d352d4e14537ffa33cd1c3173fe505 Mon Sep 17 00:00:00 2001
From: Simon Kainz <skainz@debian.org>
Date: Tue, 27 Jan 2015 14:06:14 +0100
Subject: [PATCH] add escaping for < and > charachters in bug title

---
 web/cgi-bin/bts-usertags.cgi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/cgi-bin/bts-usertags.cgi b/web/cgi-bin/bts-usertags.cgi
index 8c8e3d1..8229707 100755
--- a/web/cgi-bin/bts-usertags.cgi
+++ b/web/cgi-bin/bts-usertags.cgi
@@ -193,7 +193,7 @@ def tagged_bugs(user, tag):
                'target': ('src:' if result.source == result.package else '')
                          + result.package,
               },
-           result.title,
+           cgi.escape(result.title),
            '<a href="?bug=%s">list usertags</a>' % result.id,
            attrs=attrs)
     tfoot()
-- 
2.1.4

Reply to:

Follow-Ups:
- Bug#764199: UDD: XSS in bts-usertags-cgi
  - From: Christophe Siraut <d@tobald.eu.org>

Prev by Date: Bug#773828: marked as done (UDD: bts-usertags.cgi: <a href="..."> inside <title>)
Next by Date: Processed: Re: UDD: XSS in bts-usertags-cgi
Previous by thread: Bug#773828: marked as done (UDD: bts-usertags.cgi: <a href="..."> inside <title>)
Next by thread: Bug#764199: UDD: XSS in bts-usertags-cgi
Index(es):
- Date
- Thread