extras-buildsys/www/template main.psp,1.4,1.5
Daniel Williams (dcbw)
fedora-extras-commits at redhat.com
Wed Oct 25 17:34:33 UTC 2006
Author: dcbw
Update of /cvs/fedora/extras-buildsys/www/template
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv26630/www/template
Modified Files:
main.psp
Log Message:
2006-10-25 Dan Williams <dcbw at redhat.com>
* www/template/main.psp
- Fix cross-site scripting vulnerability by stripping the provided
email address quite harshly
Index: main.psp
===================================================================
RCS file: /cvs/fedora/extras-buildsys/www/template/main.psp,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- main.psp 25 Nov 2005 04:45:18 -0000 1.4
+++ main.psp 25 Oct 2006 17:34:30 -0000 1.5
@@ -2,6 +2,7 @@
<%
import time
import os
+import urllib, cgi
from plague import XMLRPCServerProxy
from OpenSSL import SSL
@@ -18,7 +19,20 @@
if form.has_key('action'):
action = str(form['action'])
if form.has_key('email'):
- user_email = str(form['email'])
+ user_email = ''
+ unsafe = str(form['email'])
+ a = urllib.unquote(unsafe)
+ a = urllib.unquote(a)
+ if a == urllib.unquote(a):
+ safe = ''
+ for item in a:
+ if item != '>' and item != '<' and item != '/' and item != '\\' and item != ')' and item != '(' and item != "'" and item != '"' and item != '%':
+ safe = safe + item
+ user_email = cgi.escape(safe)
+ else:
+ # No email for you, too many quote levels
+ user_email = "error"
+ # endif
# endif
%>
More information about the fedora-extras-commits
mailing list