[DRE-commits] [redmine] 01/02: fix potential XSS vulnerability when rendering flash messages
Antonio Terceiro
terceiro at moszumanska.debian.org
Sun Feb 22 16:10:34 UTC 2015
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch master-wheezy-backports
in repository redmine.
commit e94494ba11294c1bd5a664feaa3656505c708f59
Author: Antonio Terceiro <terceiro at debian.org>
Date: Sun Feb 22 13:01:49 2015 -0300
fix potential XSS vulnerability when rendering flash messages
---
debian/changelog | 8 ++++
.../patches/0001-Escape-flash-messages-19117.patch | 45 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 54 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 5b71300..b0fe7d3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+redmine (2.5.1-2~bpo70+6) UNRELEASED; urgency=medium
+
+ * debian/patches/0001-Escape-flash-messages-19117.patch
+ - fix potential XSS vulnerability when rendering flash messages
+ - no published CVE id yet
+
+ -- Antonio Terceiro <terceiro at debian.org> Sun, 22 Feb 2015 13:00:53 -0300
+
redmine (2.5.1-2~bpo70+5) wheezy-backports; urgency=medium
* Add missing dependency on bundler, needed after the latest upload
diff --git a/debian/patches/0001-Escape-flash-messages-19117.patch b/debian/patches/0001-Escape-flash-messages-19117.patch
new file mode 100644
index 0000000..dbaefdd
--- /dev/null
+++ b/debian/patches/0001-Escape-flash-messages-19117.patch
@@ -0,0 +1,45 @@
+From 2a7795ab525a47aee4484708acde409e6c4e6737 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <jp_lang at yahoo.fr>
+Date: Tue, 17 Feb 2015 17:47:36 +0000
+Subject: [PATCH] Escape flash messages (#19117).
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@14016 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/controllers/account_controller.rb | 2 +-
+ app/controllers/admin_controller.rb | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/app/controllers/account_controller.rb
++++ b/app/controllers/account_controller.rb
+@@ -290,7 +290,7 @@ class AccountController < ApplicationCon
+ token = Token.new(:user => user, :action => "register")
+ if user.save and token.save
+ Mailer.register(token).deliver
+- flash[:notice] = l(:notice_account_register_done, :email => user.mail)
++ flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
+ redirect_to signin_path
+ else
+ yield if block_given?
+--- a/app/controllers/admin_controller.rb
++++ b/app/controllers/admin_controller.rb
+@@ -51,7 +51,7 @@ class AdminController < ApplicationContr
+ Redmine::DefaultData::Loader::load(params[:lang])
+ flash[:notice] = l(:notice_default_data_loaded)
+ rescue Exception => e
+- flash[:error] = l(:error_can_t_load_default_data, e.message)
++ flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
+ end
+ end
+ redirect_to admin_path
+@@ -63,9 +63,9 @@ class AdminController < ApplicationContr
+ ActionMailer::Base.raise_delivery_errors = true
+ begin
+ @test = Mailer.test_email(User.current).deliver
+- flash[:notice] = l(:notice_email_sent, User.current.mail)
++ flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
+ rescue Exception => e
+- flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message))
++ flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
+ end
+ ActionMailer::Base.raise_delivery_errors = raise_delivery_errors
+ redirect_to settings_path(:tab => 'notifications')
diff --git a/debian/patches/series b/debian/patches/series
index ff1290d..7f3ce08 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@
2017_Gemfile_debian.patch
1001_Parsedate.parsedate.patch
2020_load_awesome_nested_set.patch
+0001-Escape-flash-messages-19117.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/redmine.git
More information about the Pkg-ruby-extras-commits
mailing list