[Debian-l10n-commits] r1055 - /ddtp-web/ddt.cgi

[kleptog-guest at users.alioth.debian.org]

Author: kleptog-guest
Date: Sun Jun 15 09:52:21 2008
New Revision: 1055

URL: http://svn.debian.org/wsvn/?sc=1&rev=1055
Log:
Fix more XSS reported by Moritz Naumann

Modified:
    ddtp-web/ddt.cgi

Modified: ddtp-web/ddt.cgi
URL: http://svn.debian.org/wsvn/ddtp-web/ddt.cgi?rev=1055&op=diff
==============================================================================
--- ddtp-web/ddt.cgi (original)
+++ ddtp-web/ddt.cgi Sun Jun 15 09:52:21 2008
@@ -7,8 +7,6 @@
 use CGI qw/:standard escape escapeHTML charset/;
 use Digest::MD5 qw(md5_hex);
 use Text::Diff;
-
-my $start= shift(@ARGV);
 
 my $cgi = new CGI;
 $cgi->charset("UTF-8");
@@ -94,6 +92,38 @@
 	}
 }
 
+# Sanitize all paramaters to this script, anything we don't recognise is thrown out.
+sub sanitize_params
+{
+  my %params = @_;
+  for my $param (param())
+  {
+    if( not defined $params{$param} )
+    { CGI::delete($param); next; }
+    my $val = param($param);
+    if( $val !~ $params{$param} )
+    { CGI::delete($param); next }
+  }
+}
+
+my $PACKAGE_NAME = qr/^[\w.+-]+$/;
+my $LANGUAGE_NAME = qr/^[a-zA-z_]+$/;
+sanitize_params(  
+    'desc_id' => qr/^\d+$/, 
+    'language' => $LANGUAGE_NAME, 
+    'getuntrans' => $LANGUAGE_NAME, 
+    'getpountrans' => $LANGUAGE_NAME, 
+    'allpackages' => $LANGUAGE_NAME, 
+    'getone' => $LANGUAGE_NAME, 
+    'alltranslatedpackages' => $LANGUAGE_NAME, 
+    'alltranslatedpackages' => $LANGUAGE_NAME, 
+    'alluntranslatedpackages' => $LANGUAGE_NAME, 
+    'package' => $PACKAGE_NAME, 
+    'diff1' => $PACKAGE_NAME, 
+    'diff2' => $PACKAGE_NAME, 
+    'source' => $PACKAGE_NAME,
+    'part_md5' => qr/^[a-f0-9]+$/, 
+);
 
 if (param('desc_id') and not param('language') and not param('getuntrans') and not param('getpountrans') ) {