[SRM] #464778 XSS issue in old tdiary version
Hi stable release managers,
I have prepared a patch to fix #464778 XSS issue for Etch's version of tDiary.
Sorry for leaving the bug open for a long time.
With the permission of the release team, I would like to upload it.
Regards,
Daigo
--
Daigo Moriwaki
beatles at sgtpepper dot net
Index: debian/changelog
===================================================================
--- debian/changelog (revision 187)
+++ debian/changelog (working copy)
@@ -1,10 +1,11 @@
-tdiary (2.0.2+20060303-6) unstable; urgency=low
+tdiary (2.0.2+20060303-6) stable-security; urgency=low
* Added debian/patches/20_xss_category.dpatch: Fixed a Cross Site
Scripting (XSS) vulnerability, where any scripts may be embedded in
"Category" pages generated by the category.rb plugin.
+ (Closes: #464778)
- -- Daigo Moriwaki <daigo@debian.org> Mon, 15 Jan 2007 21:07:08 +0900
+ -- Daigo Moriwaki <daigo@debian.org> Sun, 26 Oct 2008 08:33:31 -0400
tdiary (2.0.2+20060303-5) unstable; urgency=high
Index: debian/patches/20_xss_category.dpatch
===================================================================
--- debian/patches/20_xss_category.dpatch (revision 0)
+++ debian/patches/20_xss_category.dpatch (revision 191)
@@ -0,0 +1,266 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 20_xss_category.dpatch by Daigo Moriwaki <daigo@debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Fixed a Cross Site Scripting (XSS) vulnerability
+
+@DPATCH@
+diff -urNad etch-2.0.2+20060303~/misc/plugin/category.rb etch-2.0.2+20060303/misc/plugin/category.rb
+--- etch-2.0.2+20060303~/misc/plugin/category.rb 2008-01-06 21:50:40.000000000 +0900
++++ etch-2.0.2+20060303/misc/plugin/category.rb 2008-01-06 23:20:00.000000000 +0900
+@@ -28,7 +28,7 @@
+ @conf['category.icon'].split(/\n/).each do |l|
+ c, i = l.split
+ next if c.nil? or i.nil?
+- @category_icon[c] = i if File.exists?("#{@category_icon_dir}#{i}")
++ @category_icon[c] = i if File.exists?("#{@category_icon_dir}#{i}".untaint)
+ end
+ end
+ category_icon_init
+@@ -56,9 +56,9 @@
+ ""
+ end
+ if @category_icon[category]
+- %Q|<a href="#{@index}?#{period_string}category=#{CGI::escape(category)}"><img class="category" src="#{@category_icon_dir}#{@category_icon[category]}" alt="#{category}"></a>|
++ %Q|<a href="#{h @index}?#{period_string}category=#{u category}"><img class="category" src="#{h @category_icon_dir}#{h @category_icon[category]}" alt="#{h category}"></a>|
+ else
+- %Q|[<a href="#{@index}?#{period_string}category=#{CGI::escape(category)}">#{category}</a>]|
++ %Q|[<a href="#{h @index}?#{period_string}category=#{u category}">#{h category}</a>]|
+ end
+ end
+
+@@ -105,7 +105,7 @@
+ @categorized.keys.sort.each do |c|
+ info.category = c
+ if @category_icon[c]
+- img = %Q|<img class="category" src="#{@category_icon_url}#{@category_icon[c]}" alt="#{c}">|
++ img = %Q|<img class="category" src="#{h @category_icon_url}#{h @category_icon[c]}" alt="#{h c}">|
+ else
+ img = ''
+ end
+@@ -118,7 +118,7 @@
+ @categorized[c].keys.sort.each do |ymd|
+ text = Time.local(ymd[0,4], ymd[4,2], ymd[6,2]).strftime(@conf.date_format)
+ @categorized[c][ymd].sort.each do |idx, title, excerpt|
+- r << %Q|\t\t\t<a href="#{@conf.index}#{anchor "#{ymd}#p#{'%02d' % idx}"}" title="#{excerpt}">#{text}#p#{'%02d' % idx}</a> #{apply_plugin(title)}<br>\n|
++ r << %Q|\t\t\t<a href="#{h @conf.index}#{anchor "#{ymd}#p#{'%02d' % idx}"}" title="#{h excerpt}">#{text}#p#{'%02d' % idx}</a> #{apply_plugin(title)}<br>\n|
+ end
+ end
+ r << <<HTML
+@@ -147,7 +147,7 @@
+
+ options = ''
+ (['ALL'] + @categories).each do |c|
+- options << %Q|\t\t<option value="#{CGI.escapeHTML(c)}"#{" selected" if category.include?(c)}>#{CGI.escapeHTML(c)}</option>\n|
++ options << %Q|\t\t<option value="#{h c}"#{" selected" if category.include?(c)}>#{h c}</option>\n|
+ end
+
+ <<HTML
+@@ -179,6 +179,8 @@
+ # Info
+ #
+ class Info
++ include ERB::Util
++
+ def initialize(cgi, years, conf, args = {})
+ @cgi = cgi
+ @years = years
+@@ -268,7 +270,7 @@
+ end
+
+ def make_anchor(label = nil)
+- a = @category.map {|c| "category=#{CGI.escape(c)}"}.join(';')
++ a = @category.map {|c| "category=#{u c}"}.join(';')
+ a << ";year=#{@year}" if @year
+ a << ";month=#{@month}" if @month
+ if label
+@@ -280,9 +282,9 @@
+ label = label.gsub(/\$1/, @year || '*')
+ end
+ else
+- label = @category.map {|c| CGI.escapeHTML(c)}.join(':')
++ label = @category.map.join(":")
+ end
+- %Q|<a href="#{@conf.index}?#{a}">#{label}</a>|
++ %Q|<a href="#{h @conf.index}?#{h a}">#{h label}</a>|
+ end
+
+ #
+@@ -362,6 +364,8 @@
+ # Cache
+ #
+ class Cache
++ include ERB::Util
++
+ def initialize(conf, bind)
+ @conf = conf
+ @binding = bind # ...... very ugly
+@@ -487,7 +491,7 @@
+ private
+ def cache_file(category = nil)
+ if category
+- "#{@dir}/#{CGI.escape(category)}".untaint
++ "#{@dir}/#{u category}".untaint
+ else
+ "#{@dir}/category_list"
+ end
+@@ -567,8 +571,7 @@
+ ret << '<div class="field title">'
+ ret << "#{@category_conf_label}:\n"
+ @categories.each do |c|
+- e_c = CGI.escapeHTML(c)
+- ret << %Q!| <a href="javascript:inj_c("[#{e_c}]")">#{e_c}</a>\n!
++ ret << %Q!| <a href="javascript:inj_c("[#{h c}]")">#{h c}</a>\n!
+ end
+ ret << "|\n</div>\n<br>\n"
+ end
+@@ -597,7 +600,7 @@
+ return if @category_all_icon
+ @category_all_icon = []
+ %w(png jpg gif bmp).each do |e|
+- @category_all_icon += Dir.glob("#{@category_icon_dir}*.#{e}").map {|i| File.basename(i)}
++ @category_all_icon += Dir.glob("#{@category_icon_dir}*.#{e}".untaint).map {|i| File.basename(i)}
+ end
+ @category_all_icon.sort!
+ end
+@@ -605,10 +608,10 @@
+ def category_icon_select(category)
+ options = %Q|<\t<option value="none">#{@category_icon_none_label}</option>\n|
+ @category_all_icon.each do |i|
+- options << %Q|\t<option value="#{CGI.escapeHTML(i)}"#{" selected" if @category_icon[category] == i}>#{CGI.escapeHTML(i)}</option>\n|
++ options << %Q|\t<option value="#{h i}"#{" selected" if @category_icon[category] == i}>#{h i}</option>\n|
+ end
+ <<HTML
+-<select name="category.icon.#{category}">
++<select name="category.icon.#{h category}">
+ #{options}
+ </select>
+ HTML
+@@ -616,8 +619,8 @@
+
+ def category_icon_sample
+ @category_all_icon.map do |i|
+- %Q|<img src="#{@category_icon_url}#{i}" alt="#{i}">\n|
+- end.join("/\n")
++ %Q|<img src="#{h @category_icon_url}#{h i}" alt="#{h i}" title="#{h i}">\n|
++ end.join("/\n")
+ end
+
+ if @mode == 'conf' || @mode == 'saveconf'
+diff -urNad etch-2.0.2+20060303~/misc/plugin/en/category.rb etch-2.0.2+20060303/misc/plugin/en/category.rb
+--- etch-2.0.2+20060303~/misc/plugin/en/category.rb 2007-01-13 11:41:11.000000000 +0900
++++ etch-2.0.2+20060303/misc/plugin/en/category.rb 2008-01-06 23:23:40.000000000 +0900
+@@ -26,14 +26,14 @@
+ end
+
+ def category_init_local
+- @conf['category.prev_year'] ||= '«($1)'
+- @conf['category.next_year'] ||= '($1)»'
+- @conf['category.prev_half'] ||= '«($1-$2)'
+- @conf['category.next_half'] ||= '($1-$2)»'
+- @conf['category.prev_quarter'] ||= '«($1-$2)'
+- @conf['category.next_quarter'] ||= '($1-$2)»'
+- @conf['category.prev_month'] ||= '«($1-$2)'
+- @conf['category.next_month'] ||= '($1-$2)»'
++ @conf['category.prev_year'] ||= '<< ($1)'
++ @conf['category.next_year'] ||= '($1) >>'
++ @conf['category.prev_half'] ||= '<< ($1-$2)'
++ @conf['category.next_half'] ||= '($1-$2) >>'
++ @conf['category.prev_quarter'] ||= '<< ($1-$2)'
++ @conf['category.next_quarter'] ||= '($1-$2) >>'
++ @conf['category.prev_month'] ||= '<< ($1-$2)'
++ @conf['category.next_month'] ||= '($1-$2) >>'
+ @conf['category.this_year'] ||= 'this year'
+ @conf['category.this_half'] ||= 'this half'
+ @conf['category.this_quarter'] ||= 'this quarter'
+diff -urNad etch-2.0.2+20060303~/misc/plugin/ja/category.rb etch-2.0.2+20060303/misc/plugin/ja/category.rb
+--- etch-2.0.2+20060303~/misc/plugin/ja/category.rb 2007-01-13 11:41:10.000000000 +0900
++++ etch-2.0.2+20060303/misc/plugin/ja/category.rb 2008-01-06 23:22:37.000000000 +0900
+@@ -26,14 +26,14 @@
+ end
+
+ def category_init_local
+- @conf['category.prev_year'] ||= '«($1)'
+- @conf['category.next_year'] ||= '($1)»'
+- @conf['category.prev_half'] ||= '«($1-$2)'
+- @conf['category.next_half'] ||= '($1-$2)»'
+- @conf['category.prev_quarter'] ||= '«($1-$2)'
+- @conf['category.next_quarter'] ||= '($1-$2)»'
+- @conf['category.prev_month'] ||= '«($1-$2)'
+- @conf['category.next_month'] ||= '($1-$2)»'
++ @conf['category.prev_year'] ||= '<< ($1)'
++ @conf['category.next_year'] ||= '($1) >>'
++ @conf['category.prev_half'] ||= '<< ($1-$2)'
++ @conf['category.next_half'] ||= '($1-$2) >>'
++ @conf['category.prev_quarter'] ||= '<< ($1-$2)'
++ @conf['category.next_quarter'] ||= '($1-$2) >>'
++ @conf['category.prev_month'] ||= '<< ($1-$2)'
++ @conf['category.next_month'] ||= '($1-$2) >>'
+ @conf['category.this_year'] ||= 'ǯ'
+ @conf['category.this_half'] ||= 'Ⱦ´ü'
+ @conf['category.this_quarter'] ||= '»ÍȾ´ü'
+diff -urNad etch-2.0.2+20060303~/misc/plugin/zh/category.rb etch-2.0.2+20060303/misc/plugin/zh/category.rb
+--- etch-2.0.2+20060303~/misc/plugin/zh/category.rb 2007-01-13 11:41:11.000000000 +0900
++++ etch-2.0.2+20060303/misc/plugin/zh/category.rb 2008-01-06 23:24:23.000000000 +0900
+@@ -26,14 +26,14 @@
+ end
+
+ def category_init_local
+- @conf['category.prev_year'] ||= '«($1)'
+- @conf['category.next_year'] ||= '($1)»'
+- @conf['category.prev_half'] ||= '«($1-$2)'
+- @conf['category.next_half'] ||= '($1-$2)»'
+- @conf['category.prev_quarter'] ||= '«($1-$2)'
+- @conf['category.next_quarter'] ||= '($1-$2)»'
+- @conf['category.prev_month'] ||= '«($1-$2)'
+- @conf['category.next_month'] ||= '($1-$2)»'
++ @conf['category.prev_year'] ||= '<< ($1)'
++ @conf['category.next_year'] ||= '($1) >>'
++ @conf['category.prev_half'] ||= '<< ($1-$2)'
++ @conf['category.next_half'] ||= '($1-$2) >>'
++ @conf['category.prev_quarter'] ||= '<< ($1-$2)'
++ @conf['category.next_quarter'] ||= '($1-$2) >>'
++ @conf['category.prev_month'] ||= '<< ($1-$2)'
++ @conf['category.next_month'] ||= '($1-$2) >>'
+ @conf['category.this_year'] ||= 'this year'
+ @conf['category.this_half'] ||= 'this half'
+ @conf['category.this_quarter'] ||= 'this quarter'
+diff -urNad etch-2.0.2+20060303~/skel/category.rhtml etch-2.0.2+20060303/skel/category.rhtml
+--- etch-2.0.2+20060303~/skel/category.rhtml 2008-01-06 21:50:40.000000000 +0900
++++ etch-2.0.2+20060303/skel/category.rhtml 2008-01-06 23:20:00.000000000 +0900
+@@ -1,7 +1,7 @@
+ <%# category.rhtml $Revision: 1.7 $ %>
+ <%%= navi %>
+ <%= @conf['category.header1'] %>
+-<h1><%= CGI::escapeHTML( @conf.html_title ) %> <%%= category_title %></h1>
++<h1><%=h @conf.html_title %> <%%=h category_title %></h1>
+ <%= @conf['category.header2'] %>
+ <hr class="sep">
+ <%%= category_list_sections %>
+diff -urNad etch-2.0.2+20060303~/tdiary.rb etch-2.0.2+20060303/tdiary.rb
+--- etch-2.0.2+20060303~/tdiary.rb 2008-01-06 21:50:40.000000000 +0900
++++ etch-2.0.2+20060303/tdiary.rb 2008-01-06 23:20:00.000000000 +0900
+@@ -283,6 +283,7 @@
+ # Base module of Diary.
+ #
+ module DiaryBase
++ include ERbLight::Util
+ include CommentManager
+ include RefererManager
+
+@@ -581,6 +582,7 @@
+ # plugin management class
+ #
+ class Plugin
++ include ERbLight::Util
+ attr_reader :cookies
+
+ def initialize( params )
+@@ -829,6 +831,7 @@
+ # tDiary CGI
+ #
+ class TDiaryBase
++ include ERbLight::Util
+ DIRTY_NONE = 0
+ DIRTY_DIARY = 1
+ DIRTY_COMMENT = 2
Property changes on: debian/patches/20_xss_category.dpatch
___________________________________________________________________
Added: svn:executable
+ *
Reply to: