This patch fixes the XSS vulnerability from CAN-2004-1397:
Note 1: This patch must be taken from the edit form of this page. (Click the edit link at the bottom of the page, then copy/paste the patch into a text file.)
Note 2: This patch is not (yet) complete: it mistakenly quotes at least one rare case. See the /XssFixTalk page for more discussion.
This patch does not work against a pristine copy of UseMod 1.0: "Hunk #2 FAILED at 388". The first line of sub Tss is the problem -- it was different in the basis of this patch than in UseMod 1.0. I think that line is wrong the latter. See later on the page for a 'clean' diff. -- DanMuller
Patch follows:
Index: wiki.pl =================================================================== --- wiki.pl (Revision 193) +++ wiki.pl (Arbeitskopie) @@ -376,8 +376,13 @@ } sub Ts { - my ($text, $string) = @_; + my ($text, $string, $noquote) = @_; + unless($noquote) { + $string =~ s/&/&/g; + $string =~ s/</</g; + $string =~ s/>/>/g; + } $text = T($text); $text =~ s/\%s/$string/; return $text; @@ -385,9 +390,17 @@ sub Tss { my $text = $_[0]; + my @args = @_; + @args = map { + my $a = $_; + $a =~ s/&/&/g; + $a =~ s/</</g; + $a =~ s/>/>/g; + $a; + } @args; $text = T($text); - $text =~ s/\%([1-9])/$_[$1]/ge; + $text =~ s/\%([1-9])/$args[$1]/ge; return $text; } @@ -1299,7 +1312,7 @@ $result .= '<div class=wikiheader>'; if ($oldId ne '') { $result .= $q->h3('(' . Ts('redirected from %s', - &GetEditLink($oldId, $oldId)) . ')'); + &GetEditLink($oldId, $oldId), 1) . ')'); } if ((!$embed) && ($LogoUrl ne "")) { $logoImage = "img src=\"$LogoUrl\" alt=\"$altText\" border=0"; @@ -1425,7 +1438,7 @@ $result .= ' ' . &TimeToText($Section{ts}); if ($AuthorFooter) { $result .= ' ' . Ts('by %s', &GetAuthorLink($Section{'host'}, - $Section{'username'}, $Section{'id'})); + $Section{'username'}, $Section{'id'}), 1); } } if ($UseDiff) { @@ -3290,7 +3303,7 @@ print ' (', T('Your user name is'), ' ', &GetPageLink($userName) . ') '; } else { - print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink()), ') '; + print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink(), 1), ') '; } print $q->submit(-name=>'Preview', -value=>T('Preview')), "\n"; if ($isConflict) {
ChristophBerg? (cb@df7cb.de)
--- wiki.pl 2005-05-14 13:23:53.370796656 -0400 +++ wiki-xss-fix.pl 2005-05-14 13:23:40.405767640 -0400 @@ -374,18 +374,31 @@ } sub Ts { - my ($text, $string) = @_; + my ($text, $string, $noquote) = @_; + unless($noquote) { + $string =~ s/&/&/g; + $string =~ s/</</g; + $string =~ s/>/>/g; + } $text = T($text); $text =~ s/\%s/$string/; return $text; } sub Tss { - my $text = @_[0]; + my $text = $_[0]; + my @args = @_; + @args = map { + my $a = $_; + $a =~ s/&/&/g; + $a =~ s/</</g; + $a =~ s/>/>/g; + $a; + } @args; $text = T($text); - $text =~ s/\%([1-9])/$_[$1]/ge; + $text =~ s/\%([1-9])/$args[$1]/ge; return $text; } @@ -1297,7 +1310,7 @@ $result .= '<div class=wikiheader>'; if ($oldId ne '') { $result .= $q->h3('(' . Ts('redirected from %s', - &GetEditLink($oldId, $oldId)) . ')'); + &GetEditLink($oldId, $oldId), 1) . ')'); } if ((!$embed) && ($LogoUrl ne "")) { $logoImage = "img src=\"$LogoUrl\" alt=\"$altText\" border=0"; @@ -1419,7 +1432,7 @@ $result .= ' ' . &TimeToText($Section{ts}); if ($AuthorFooter) { $result .= ' ' . Ts('by %s', &GetAuthorLink($Section{'host'}, - $Section{'username'}, $Section{'id'})); + $Section{'username'}, $Section{'id'}), 1); } } if ($UseDiff) { @@ -3276,7 +3289,7 @@ print ' (', T('Your user name is'), ' ', &GetPageLink($userName) . ') '; } else { - print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink()), ') '; + print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink(), 1), ') '; } print $q->submit(-name=>'Preview', -value=>T('Preview')), "\n"; if ($isConflict) {