[ic] Patch for dist/catalog_after.cfg to eliminate XSS
Josh Lavin
josh at perusion.net
Mon Jul 11 15:16:50 UTC 2011
If a script is used in the URL of a request to a UI page, such as
'ui_download', the error page will display it inline, allowing the
script to execute.
https://github.com/jlavin/interchange/commit/aa633f6ce3b6f7fb27d155793a80115a0ce9f069
--- a/dist/catalog_after.cfg
+++ b/dist/catalog_after.cfg
@@ -73,7 +73,8 @@ sub {
$status = 0;
}
else {
- $Scratch->{ui_error} = "Not authorized for file $CGI->{mv_nextpage}";
+ my $file = $Tag->filter('encode_entities', $CGI->{mv_nextpage});
+ $Scratch->{ui_error} = "Not authorized for file $file";
$CGI->{mv_nextpage} = '__UI_BASE__/error';
$status = 1;
}
--
Josh Lavin
Perusion -- Expert Interchange Consulting http://www.perusion.com/
More information about the interchange-users
mailing list