From 8376ef56580626e9c0f796d5b85b53a0a1c7d5f5 Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Sat, 14 Jul 2018 21:03:06 +0100 Subject: gentoo resync : 14.07.2018 --- app-text/info2html/files/info2html-2.0-xss.patch | 61 ++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 app-text/info2html/files/info2html-2.0-xss.patch (limited to 'app-text/info2html/files') diff --git a/app-text/info2html/files/info2html-2.0-xss.patch b/app-text/info2html/files/info2html-2.0-xss.patch new file mode 100644 index 000000000000..a2254bdbbe2b --- /dev/null +++ b/app-text/info2html/files/info2html-2.0-xss.patch @@ -0,0 +1,61 @@ +diff -u info2html-2.0-orig/info2html info2html-2.0/info2html +--- info2html-2.0-orig/info2html 2006-09-01 14:55:13.000000000 +0200 ++++ info2html-2.0/info2html 2006-09-01 15:05:41.000000000 +0200 +@@ -42,7 +42,7 @@ + + use CGI; + $ENV{'REQUEST_METHOD'} or +- print "Note: I'm really supposed to be run as a CGI!\n"; ++ print "Note: I'm really supposed to be run as a CGI\!\n"; + + #-- patterns + $NODEBORDER = '\037\014?'; #-- delimiter of an info node +@@ -62,7 +62,7 @@ + #--------------------------------------------------------- + # Don't reveal where we're looking... --jonh 5/20/97 (and reapplied 5/4/1998) + sub DieFileNotFound{ +- local($FileName) = @_; ++ local($FileName) = &XssEscape(@_); + #-- TEXT : error message if a file could not be opened + print <<"EOF"; + Info Files - Error Message +@@ -104,6 +104,28 @@ + } + + #---------------------------------------------------------- ++# XssEscape ++#---------------------------------------------------------- ++sub XssEscape { ++ local($Tag) = @_; ++ #-- output escaping is required to protect browser ++ # against `cross site' and `cross frame scripting' ++ ++ $Tag =~ s/&/&/gs; # ampersand ++ $Tag =~ s/#/#/gs; ++ $Tag =~ s/;/;/gs; ++ $Tag =~ s/[\000-\037\177-\237]/¿/gs; # "ctrl" codes 0-31 and 127-159 ++ $Tag =~ s//>/gs; # greater-than symbol ++ $Tag =~ s/"/"/gs; # double quote ++ $Tag =~ s/\240/ /gs; # non-breaking space ++ $Tag =~ s/\255/­/gs; # soft hyphen ++ # the rest is interpreted ++ # as ISO 8859-1 ++ $Tag; ++} ++ ++#---------------------------------------------------------- + # ParsHeaderToken + #---------------------------------------------------------- + # Parses the heaer line of an info node for a specific +@@ -493,6 +515,8 @@ + #---------------------------------------------------------- + sub ReplyNotFoundMessage{ + local($FileName,$Tag) = @_; ++ $FileName = &XssEscape($FileName); ++ $Tag = &XssEscape($Tag); + print <<"EOF"; + Info Files - Error Message + $BOTS_STAY_AWAY +Only in info2html-2.0: info2html.orig +Only in info2html-2.0: info2html.rej -- cgit v1.2.3