Bug#764199: UDD: XSS in bts-usertags-cgi
tag 767584 + patch
thanks
Hello,
please see the attached (rather trivial) patch.
I looked up [1] which seemed the appropriate fix for this issue. My
Python-Foo is not very strong, so please eventually take a closer look
if this is the right fix.
Bye,
Simon
[1] https://docs.python.org/2/library/cgi.html
>From 7af4b228a3d352d4e14537ffa33cd1c3173fe505 Mon Sep 17 00:00:00 2001
From: Simon Kainz <skainz@debian.org>
Date: Tue, 27 Jan 2015 14:06:14 +0100
Subject: [PATCH] add escaping for < and > charachters in bug title
---
web/cgi-bin/bts-usertags.cgi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/web/cgi-bin/bts-usertags.cgi b/web/cgi-bin/bts-usertags.cgi
index 8c8e3d1..8229707 100755
--- a/web/cgi-bin/bts-usertags.cgi
+++ b/web/cgi-bin/bts-usertags.cgi
@@ -193,7 +193,7 @@ def tagged_bugs(user, tag):
'target': ('src:' if result.source == result.package else '')
+ result.package,
},
- result.title,
+ cgi.escape(result.title),
'<a href="?bug=%s">list usertags</a>' % result.id,
attrs=attrs)
tfoot()
--
2.1.4
Reply to: