[Debian-l10n-commits] r1055 - /ddtp-web/ddt.cgi
kleptog-guest at users.alioth.debian.org
kleptog-guest at users.alioth.debian.org
Sun Jun 15 09:52:22 UTC 2008
Author: kleptog-guest
Date: Sun Jun 15 09:52:21 2008
New Revision: 1055
URL: http://svn.debian.org/wsvn/?sc=1&rev=1055
Log:
Fix more XSS reported by Moritz Naumann
Modified:
ddtp-web/ddt.cgi
Modified: ddtp-web/ddt.cgi
URL: http://svn.debian.org/wsvn/ddtp-web/ddt.cgi?rev=1055&op=diff
==============================================================================
--- ddtp-web/ddt.cgi (original)
+++ ddtp-web/ddt.cgi Sun Jun 15 09:52:21 2008
@@ -7,8 +7,6 @@
use CGI qw/:standard escape escapeHTML charset/;
use Digest::MD5 qw(md5_hex);
use Text::Diff;
-
-my $start= shift(@ARGV);
my $cgi = new CGI;
$cgi->charset("UTF-8");
@@ -94,6 +92,38 @@
}
}
+# Sanitize all paramaters to this script, anything we don't recognise is thrown out.
+sub sanitize_params
+{
+ my %params = @_;
+ for my $param (param())
+ {
+ if( not defined $params{$param} )
+ { CGI::delete($param); next; }
+ my $val = param($param);
+ if( $val !~ $params{$param} )
+ { CGI::delete($param); next }
+ }
+}
+
+my $PACKAGE_NAME = qr/^[\w.+-]+$/;
+my $LANGUAGE_NAME = qr/^[a-zA-z_]+$/;
+sanitize_params(
+ 'desc_id' => qr/^\d+$/,
+ 'language' => $LANGUAGE_NAME,
+ 'getuntrans' => $LANGUAGE_NAME,
+ 'getpountrans' => $LANGUAGE_NAME,
+ 'allpackages' => $LANGUAGE_NAME,
+ 'getone' => $LANGUAGE_NAME,
+ 'alltranslatedpackages' => $LANGUAGE_NAME,
+ 'alltranslatedpackages' => $LANGUAGE_NAME,
+ 'alluntranslatedpackages' => $LANGUAGE_NAME,
+ 'package' => $PACKAGE_NAME,
+ 'diff1' => $PACKAGE_NAME,
+ 'diff2' => $PACKAGE_NAME,
+ 'source' => $PACKAGE_NAME,
+ 'part_md5' => qr/^[a-f0-9]+$/,
+);
if (param('desc_id') and not param('language') and not param('getuntrans') and not param('getpountrans') ) {
More information about the Debian-l10n-commits
mailing list