Mercurial > p > roundup > code
diff roundup/backends/sessions_dbm.py @ 4585:033a550812fc
Fix another XSS with the "otk" parameter.
Thanks to Jesse Ruderman for reporting.
| author | Ralf Schlatterbeck <rsc@runtux.com> |
|---|---|
| date | Tue, 07 Feb 2012 14:39:02 +0100 |
| parents | 6e3e4f24c753 |
| children | d5da643b3d25 |
line wrap: on
line diff
--- a/roundup/backends/sessions_dbm.py Mon Jan 30 14:52:14 2012 +0100 +++ b/roundup/backends/sessions_dbm.py Tue Feb 07 14:39:02 2012 +0100 @@ -8,6 +8,7 @@ import os, marshal, time +from cgi import escape from roundup import hyperdb from roundup.i18n import _ from roundup.anypy.dbm_ import anydbm, whichdb, key_in @@ -64,7 +65,7 @@ else: if default != self._marker: return default - raise KeyError('No such %s "%s"'%(self.name, infoid)) + raise KeyError('No such %s "%s"'%(self.name, escape(infoid))) return values.get(value, None) finally: db.close() @@ -77,7 +78,7 @@ del d['__timestamp'] return d except KeyError: - raise KeyError('No such %s "%s"'%(self.name, infoid)) + raise KeyError('No such %s "%s"'%(self.name, escape(infoid))) finally: db.close()