This patch fixes the XSS vulnerability from CAN-2004-1397:
Note 1: This patch must be taken from the edit form of this page. (Click the edit link at the bottom of the page, then copy/paste the patch into a text file.)
Note 2: This patch is not (yet) complete: it mistakenly quotes at least one rare case. See the /XssFixTalk page for more discussion.
This patch does not work against a pristine copy of UseMod 1.0: "Hunk #2 FAILED at 388". The first line of sub Tss is the problem -- it was different in the basis of this patch than in UseMod 1.0. I think that line is wrong the latter. See later on the page for a 'clean' diff. -- DanMuller
Patch follows:
![[Home]](/wiki.gif)
Index: wiki.pl
===================================================================
--- wiki.pl (Revision 193)
+++ wiki.pl (Arbeitskopie)
@@ -376,8 +376,13 @@
}
sub Ts {
- my ($text, $string) = @_;
+ my ($text, $string, $noquote) = @_;
+ unless($noquote) {
+ $string =~ s/&/&/g;
+ $string =~ s/</</g;
+ $string =~ s/>/>/g;
+ }
$text = T($text);
$text =~ s/\%s/$string/;
return $text;
@@ -385,9 +390,17 @@
sub Tss {
my $text = $_[0];
+ my @args = @_;
+ @args = map {
+ my $a = $_;
+ $a =~ s/&/&/g;
+ $a =~ s/</</g;
+ $a =~ s/>/>/g;
+ $a;
+ } @args;
$text = T($text);
- $text =~ s/\%([1-9])/$_[$1]/ge;
+ $text =~ s/\%([1-9])/$args[$1]/ge;
return $text;
}
@@ -1299,7 +1312,7 @@
$result .= '<div class=wikiheader>';
if ($oldId ne '') {
$result .= $q->h3('(' . Ts('redirected from %s',
- &GetEditLink($oldId, $oldId)) . ')');
+ &GetEditLink($oldId, $oldId), 1) . ')');
}
if ((!$embed) && ($LogoUrl ne "")) {
$logoImage = "img src=\"$LogoUrl\" alt=\"$altText\" border=0";
@@ -1425,7 +1438,7 @@
$result .= ' ' . &TimeToText($Section{ts});
if ($AuthorFooter) {
$result .= ' ' . Ts('by %s', &GetAuthorLink($Section{'host'},
- $Section{'username'}, $Section{'id'}));
+ $Section{'username'}, $Section{'id'}), 1);
}
}
if ($UseDiff) {
@@ -3290,7 +3303,7 @@
print ' (', T('Your user name is'), ' ',
&GetPageLink($userName) . ') ';
} else {
- print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink()), ') ';
+ print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink(), 1), ') ';
}
print $q->submit(-name=>'Preview', -value=>T('Preview')), "\n";
if ($isConflict) {
ChristophBerg? (cb@df7cb.de)
--- wiki.pl 2005-05-14 13:23:53.370796656 -0400
+++ wiki-xss-fix.pl 2005-05-14 13:23:40.405767640 -0400
@@ -374,18 +374,31 @@
}
sub Ts {
- my ($text, $string) = @_;
+ my ($text, $string, $noquote) = @_;
+ unless($noquote) {
+ $string =~ s/&/&/g;
+ $string =~ s/</</g;
+ $string =~ s/>/>/g;
+ }
$text = T($text);
$text =~ s/\%s/$string/;
return $text;
}
sub Tss {
- my $text = @_[0];
+ my $text = $_[0];
+ my @args = @_;
+ @args = map {
+ my $a = $_;
+ $a =~ s/&/&/g;
+ $a =~ s/</</g;
+ $a =~ s/>/>/g;
+ $a;
+ } @args;
$text = T($text);
- $text =~ s/\%([1-9])/$_[$1]/ge;
+ $text =~ s/\%([1-9])/$args[$1]/ge;
return $text;
}
@@ -1297,7 +1310,7 @@
$result .= '<div class=wikiheader>';
if ($oldId ne '') {
$result .= $q->h3('(' . Ts('redirected from %s',
- &GetEditLink($oldId, $oldId)) . ')');
+ &GetEditLink($oldId, $oldId), 1) . ')');
}
if ((!$embed) && ($LogoUrl ne "")) {
$logoImage = "img src=\"$LogoUrl\" alt=\"$altText\" border=0";
@@ -1419,7 +1432,7 @@
$result .= ' ' . &TimeToText($Section{ts});
if ($AuthorFooter) {
$result .= ' ' . Ts('by %s', &GetAuthorLink($Section{'host'},
- $Section{'username'}, $Section{'id'}));
+ $Section{'username'}, $Section{'id'}), 1);
}
}
if ($UseDiff) {
@@ -3276,7 +3289,7 @@
print ' (', T('Your user name is'), ' ',
&GetPageLink($userName) . ') ';
} else {
- print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink()), ') ';
+ print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink(), 1), ') ';
}
print $q->submit(-name=>'Preview', -value=>T('Preview')), "\n";
if ($isConflict) {