[xiph-commits] r15252 - websites/validator.xspf.org
sping at svn.xiph.org
sping at svn.xiph.org
Thu Sep 4 09:06:28 PDT 2008
Author: sping
Date: 2008-09-04 09:06:27 -0700 (Thu, 04 Sep 2008)
New Revision: 15252
Modified:
websites/validator.xspf.org/check.py
Log:
Fix XSS vulnerability
Modified: websites/validator.xspf.org/check.py
===================================================================
--- websites/validator.xspf.org/check.py 2008-09-04 15:44:07 UTC (rev 15251)
+++ websites/validator.xspf.org/check.py 2008-09-04 16:06:27 UTC (rev 15252)
@@ -32,8 +32,10 @@
# -----------------------------------------------------------------------
# 2008-09-04 -- Sebastian Pipping <webmaster at hartwork.org>
#
-# * Fixed: [Security] Accessing local files was pssible
+# * Fixed: [Security] Accessing local files was possible
# through using file URIs like file:///etc/passwd
+# * Fixed: [Security] XSS vulnerability existed with URIs
+# like [..]check.py?uri=[javascript]
#
# 2008-08-25 -- Sebastian Pipping <webmaster at hartwork.org>
#
@@ -282,7 +284,7 @@
input = uploaded.file.read()
if input != "":
- intro = "Validating uploaded file<br><b><i>" + uploaded.filename + "</i></b><br><br>"
+ intro = "Validating uploaded file<br><b><i>" + cgi.escape(uploaded.filename) + "</i></b><br><br>"
elif form.has_key("url"): ### and form.has_key("submitUrl")
url = form.getlist("url")[0]
@@ -297,11 +299,12 @@
intro = """<b style="color:red;">Invalid URL.</b><br><br>"""
except urllib2.URLError:
- # 404, non-existent host, IPv6 (not supported), ...
+ # One of 404, non-existent host, IPv6 (not supported), ...
intro = """<b style="color:red">Could not download from URL.</b><br><br>"""
if input != "":
- intro = "Validating data from URL<br><b><i><a href=\"" + url + "\" class=\"blackLink\">" + url + "</a></i></b><br><br>"
+ intro = "Validating data from URL<br><b><i><a href=\"" + cgi.escape(url, True) \
+ + "\" class=\"blackLink\">" + cgi.escape(url) + "</a></i></b><br><br>"
More information about the commits
mailing list