diff options
| author | V3n3RiX <venerix@redcorelinux.org> | 2018-07-14 21:03:06 +0100 |
|---|---|---|
| committer | V3n3RiX <venerix@redcorelinux.org> | 2018-07-14 21:03:06 +0100 |
| commit | 8376ef56580626e9c0f796d5b85b53a0a1c7d5f5 (patch) | |
| tree | 7681bbd4e8b05407772df40a4bf04cbbc8afc3fa /app-text/info2html/files | |
| parent | 30a9caf154332f12ca60756e1b75d2f0e3e1822d (diff) | |
gentoo resync : 14.07.2018
Diffstat (limited to 'app-text/info2html/files')
| -rw-r--r-- | app-text/info2html/files/info2html-2.0-xss.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/app-text/info2html/files/info2html-2.0-xss.patch b/app-text/info2html/files/info2html-2.0-xss.patch new file mode 100644 index 000000000000..a2254bdbbe2b --- /dev/null +++ b/app-text/info2html/files/info2html-2.0-xss.patch @@ -0,0 +1,61 @@ +diff -u info2html-2.0-orig/info2html info2html-2.0/info2html +--- info2html-2.0-orig/info2html 2006-09-01 14:55:13.000000000 +0200 ++++ info2html-2.0/info2html 2006-09-01 15:05:41.000000000 +0200 +@@ -42,7 +42,7 @@ + + use CGI; + $ENV{'REQUEST_METHOD'} or +- print "Note: I'm really supposed to be run as a CGI!\n"; ++ print "Note: I'm really supposed to be run as a CGI\!\n"; + + #-- patterns + $NODEBORDER = '\037\014?'; #-- delimiter of an info node +@@ -62,7 +62,7 @@ + #--------------------------------------------------------- + # Don't reveal where we're looking... --jonh 5/20/97 (and reapplied 5/4/1998) + sub DieFileNotFound{ +- local($FileName) = @_; ++ local($FileName) = &XssEscape(@_); + #-- TEXT : error message if a file could not be opened + print <<"EOF"; + <html><head><title>Info Files - Error Message</title> +@@ -104,6 +104,28 @@ + } + + #---------------------------------------------------------- ++# XssEscape ++#---------------------------------------------------------- ++sub XssEscape { ++ local($Tag) = @_; ++ #-- output escaping is required to protect browser ++ # against `cross site' and `cross frame scripting' ++ ++ $Tag =~ s/&/&/gs; # ampersand ++ $Tag =~ s/#/#/gs; ++ $Tag =~ s/;/;/gs; ++ $Tag =~ s/[\000-\037\177-\237]/¿/gs; # "ctrl" codes 0-31 and 127-159 ++ $Tag =~ s/</</gs; # less-than symbol ++ $Tag =~ s/>/>/gs; # greater-than symbol ++ $Tag =~ s/"/"/gs; # double quote ++ $Tag =~ s/\240/ /gs; # non-breaking space ++ $Tag =~ s/\255/­/gs; # soft hyphen ++ # the rest is interpreted ++ # as ISO 8859-1 ++ $Tag; ++} ++ ++#---------------------------------------------------------- + # ParsHeaderToken + #---------------------------------------------------------- + # Parses the heaer line of an info node for a specific +@@ -493,6 +515,8 @@ + #---------------------------------------------------------- + sub ReplyNotFoundMessage{ + local($FileName,$Tag) = @_; ++ $FileName = &XssEscape($FileName); ++ $Tag = &XssEscape($Tag); + print <<"EOF"; + <html><head><title>Info Files - Error Message</title> + $BOTS_STAY_AWAY +Only in info2html-2.0: info2html.orig +Only in info2html-2.0: info2html.rej |