Re: Proposed fixes for potential XSS issues in xapian-omega

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: debian-release@lists.debian.org
Subject: Re: Proposed fixes for potential XSS issues in xapian-omega
From: Olly Betts <olly@survex.com>
Date: Mon, 26 Sep 2011 02:32:09 +0100
Message-id: <[🔎] 20110926013209.GD28570@survex.com>
In-reply-to: <[🔎] 1316867217.2091.167.camel@hathi.jungle.funky-badger.org>
References: <[🔎] 20110914135130.GA6153@cavity> <[🔎] 1316867217.2091.167.camel@hathi.jungle.funky-badger.org>

On Sat, Sep 24, 2011 at 01:26:57PM +0100, Adam D. Barratt wrote:
> On Thu, 2011-09-15 at 01:51 +1200, Olly Betts wrote:
> > I've discussed these with the security team, and they decided it was most
> > appropriate to handle them via a stable update.  I've attached a debdiff
> > showing the changes I'm proposing.
> 
> Apologies for the slight delay in getting back to you.  For future
> reference, a usertagged bug is generally easier for us to keep track of
> and less likely to get lost in the (periodic) noise on the list.

OK, I'll do that in future.

FWIW, the dev ref just says to email the list, so perhaps needs updating
if a usertagged bug is how the release team now prefers this to be done:

http://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable

> > All these changes have been in upstream releases since 1.2.5 (released
> > 2011-04-04) with no reports of any issues.
> 
> Please go ahead; thanks.

I took that as implied permission to make the same changes to oldstable
too, but in the process of applying them I noticed a couple of places
which had been missed.  Neither is going to be easy to exploit, but I
think it is worth patching these too while we're at it.  I've attached a
patch showing just the two extra fixes for clarity.  I've tested these
to make sure they work as intended.

Is it OK to include these too?

And can I get an explicit OK on uploading the same fixes to oldstable?

Cheers,
    Olly

Index: templates/query
===================================================================
--- templates/query	(revision 16068)
+++ templates/query	(revision 16070)
@@ -60,7 +60,7 @@
 $if{$opt{topterms},
  <div title="Suggested terms to add to your query"
  style="text-align:left;background:#cfc;border:1px solid green;padding:2px;font:11px verdana$. arial$. helvetica$. sans-serif;">
- $map{$topterms,<span style="white-space:nowrap"><INPUT TYPE=checkbox NAME=X VALUE="$prettyterm{$_}" onClick="C(this)">$prettyterm{$_}</span> }
+ $map{$topterms,<span style="white-space:nowrap"><INPUT TYPE=checkbox NAME=X VALUE="$html{$prettyterm{$_}}" onClick="C(this)">$html{$prettyterm{$_}}</span> }
  <BR><NOSCRIPT><INPUT TYPE=hidden NAME=ADD VALUE=1></NOSCRIPT>
  </div>
 }
Index: templates/godmode
===================================================================
--- templates/godmode	(revision 16068)
+++ templates/godmode	(revision 16070)
@@ -31,7 +31,7 @@
 <H2>Document Values</H2>
 
 $set{values,$list{$map{$range{0,255},$if{$value{$_,$cgi{ID}},
-<tr><td>$_</td><td>$value{$_,$cgi{ID}}</td></tr>
+<tr><td>$_</td><td>$html{$value{$_,$cgi{ID}}}</td></tr>
 }},}}
 $if{$opt{values},
 <table><tr><th>Value#</th><th>Value</th></tr>

Reply to:

Follow-Ups:
- Re: Proposed fixes for potential XSS issues in xapian-omega
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Proposed fixes for potential XSS issues in xapian-omega
  - From: Olly Betts <olly@survex.com>
- Re: Proposed fixes for potential XSS issues in xapian-omega
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Bug#642956: pu: package apache2/2.2.16-6+squeeze4
Next by Date: Bug#640404: marked as done (transition: network-manager)
Previous by thread: Re: Proposed fixes for potential XSS issues in xapian-omega
Next by thread: Re: Proposed fixes for potential XSS issues in xapian-omega
Index(es):
- Date
- Thread