[ic] Patch for dist/catalog_after.cfg to eliminate XSS

Josh Lavin josh at perusion.net
Mon Jul 11 15:16:50 UTC 2011


If a script is used in the URL of a request to a UI page, such as 
'ui_download', the error page will display it inline, allowing the 
script to execute.

https://github.com/jlavin/interchange/commit/aa633f6ce3b6f7fb27d155793a80115a0ce9f069

--- a/dist/catalog_after.cfg
+++ b/dist/catalog_after.cfg
@@ -73,7 +73,8 @@ sub {
                 $status = 0;
     }
     else {
-     $Scratch->{ui_error} = "Not authorized for file $CGI->{mv_nextpage}";
+     my $file = $Tag->filter('encode_entities', $CGI->{mv_nextpage});
+     $Scratch->{ui_error} = "Not authorized for file $file";
       $CGI->{mv_nextpage} = '__UI_BASE__/error';
       $status = 1;
     }

-- 
Josh Lavin
Perusion -- Expert Interchange Consulting    http://www.perusion.com/



More information about the interchange-users mailing list