Mercurial > p > roundup > code
changeset 5664:5579fa034f9e
Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Fri, 22 Mar 2019 18:16:11 -0400 |
| parents | a884698173ea |
| children | d660d1c1ba63 |
| files | CHANGES.txt frontends/roundup.cgi roundup/cgi/wsgi_handler.py |
| diffstat | 3 files changed, 6 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/CHANGES.txt Fri Mar 22 14:43:21 2019 +0100 +++ b/CHANGES.txt Fri Mar 22 18:16:11 2019 -0400 @@ -100,6 +100,10 @@ HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is correct. Also fix roundup-server to produce the latter form. (Patch by Cédric Krier, reviewed/applied John Rouillard.) +- issue2551035 - fix XSS issue in wsgi and cgi when handing url not + found/404. Reported by hannob at + https://github.com/python/bugs.python.org/issues/34, issue opened by + JulienPalard. 2018-07-13 1.6.0
--- a/frontends/roundup.cgi Fri Mar 22 14:43:21 2019 +0100 +++ b/frontends/roundup.cgi Fri Mar 22 18:16:11 2019 -0400 @@ -181,7 +181,7 @@ request.send_response(404) request.send_header('Content-Type', 'text/html') request.end_headers() - out.write(s2b('Not found: %s'%client.path)) + out.write(s2b('Not found: %s'%cgi.escape(client.path))) else: from roundup.anypy import urllib_
--- a/roundup/cgi/wsgi_handler.py Fri Mar 22 14:43:21 2019 +0100 +++ b/roundup/cgi/wsgi_handler.py Fri Mar 22 18:16:11 2019 -0400 @@ -69,7 +69,7 @@ client.main() except roundup.cgi.client.NotFound: request.start_response([('Content-Type', 'text/html')], 404) - request.wfile.write(s2b('Not found: %s'%client.path)) + request.wfile.write(s2b('Not found: %s'%cgi.escape(client.path))) # all body data has been written using wfile return []