[Home]WikiPatches/XssFix

UseModWiki | WikiPatches | RecentChanges | Preferences

Added a modified version in 1.0.1 --MarkusLude

This patch fixes the XSS vulnerability from CAN-2004-1397:

Note 1: This patch must be taken from the edit form of this page. (Click the edit link at the bottom of the page, then copy/paste the patch into a text file.)

Note 2: This patch is not (yet) complete: it mistakenly quotes at least one rare case. See the /XssFixTalk page for more discussion.

This patch does not work against a pristine copy of UseMod 1.0: "Hunk #2 FAILED at 388". The first line of sub Tss is the problem -- it was different in the basis of this patch than in UseMod 1.0. I think that line is wrong the latter. See later on the page for a 'clean' diff. -- DanMuller

Patch follows:


Index: wiki.pl
===================================================================
--- wiki.pl     (Revision 193)
+++ wiki.pl     (Arbeitskopie)
@@ -376,8 +376,13 @@
 }
 
 sub Ts {
-  my ($text, $string) = @_;
+  my ($text, $string, $noquote) = @_;
 
+  unless($noquote) {
+    $string =~ s/&/&/g;
+    $string =~ s/</</g;
+    $string =~ s/>/>/g;
+  }
   $text = T($text);
   $text =~ s/\%s/$string/;
   return $text;
@@ -385,9 +390,17 @@
 
 sub Tss {
   my $text = $_[0];
+  my @args = @_;
+  @args = map {
+    my $a = $_;
+    $a =~ s/&/&/g;
+    $a =~ s/</</g;
+    $a =~ s/>/>/g;
+    $a;
+  } @args;
 
   $text = T($text);
-  $text =~ s/\%([1-9])/$_[$1]/ge;
+  $text =~ s/\%([1-9])/$args[$1]/ge;
   return $text;
 }
 
@@ -1299,7 +1312,7 @@
   $result .= '<div class=wikiheader>';
   if ($oldId ne '') {
     $result .= $q->h3('(' . Ts('redirected from %s', 
-                               &GetEditLink($oldId, $oldId)) . ')');
+                               &GetEditLink($oldId, $oldId), 1) . ')');
   }
   if ((!$embed) && ($LogoUrl ne "")) {
     $logoImage = "img src=\"$LogoUrl\" alt=\"$altText\" border=0";
@@ -1425,7 +1438,7 @@
     $result .= ' ' . &TimeToText($Section{ts});
     if ($AuthorFooter) {
       $result .= ' ' . Ts('by %s', &GetAuthorLink($Section{'host'},
-                                     $Section{'username'}, $Section{'id'}));
+                                     $Section{'username'}, $Section{'id'}), 1);
     }
   }
   if ($UseDiff) {
@@ -3290,7 +3303,7 @@
     print ' (', T('Your user name is'), ' ',
           &GetPageLink($userName) . ') ';
   } else {
-    print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink()), ') ';
+    print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink(), 1), ') ';
   }
   print $q->submit(-name=>'Preview', -value=>T('Preview')), "\n";
   if ($isConflict) {


See also:

ChristophBerg? (cb@df7cb.de)


Here's a unified diff versus a pristine copy of UseMod 1.0:
--- wiki.pl	2005-05-14 13:23:53.370796656 -0400
+++ wiki-xss-fix.pl	2005-05-14 13:23:40.405767640 -0400
@@ -374,18 +374,31 @@
 }
 
 sub Ts {
-  my ($text, $string) = @_;
+  my ($text, $string, $noquote) = @_;
 
+  unless($noquote) {
+    $string =~ s/&/&/g;
+    $string =~ s/</</g;
+    $string =~ s/>/>/g;
+  }
   $text = T($text);
   $text =~ s/\%s/$string/;
   return $text;
 }
 
 sub Tss {
-  my $text = @_[0];
+  my $text = $_[0];
+  my @args = @_;
+  @args = map {
+    my $a = $_;
+    $a =~ s/&/&/g;
+    $a =~ s/</</g;
+    $a =~ s/>/>/g;
+    $a;
+  } @args;
 
   $text = T($text);
-  $text =~ s/\%([1-9])/$_[$1]/ge;
+  $text =~ s/\%([1-9])/$args[$1]/ge;
   return $text;
 }
 
@@ -1297,7 +1310,7 @@
   $result .= '<div class=wikiheader>';
   if ($oldId ne '') {
     $result .= $q->h3('(' . Ts('redirected from %s', 
-                               &GetEditLink($oldId, $oldId)) . ')');
+                               &GetEditLink($oldId, $oldId), 1) . ')');
   }
   if ((!$embed) && ($LogoUrl ne "")) {
     $logoImage = "img src=\"$LogoUrl\" alt=\"$altText\" border=0";
@@ -1419,7 +1432,7 @@
     $result .= ' ' . &TimeToText($Section{ts});
     if ($AuthorFooter) {
       $result .= ' ' . Ts('by %s', &GetAuthorLink($Section{'host'},
-                                     $Section{'username'}, $Section{'id'}));
+                                     $Section{'username'}, $Section{'id'}), 1);
     }
   }
   if ($UseDiff) {
@@ -3276,7 +3289,7 @@
     print ' (', T('Your user name is'), ' ',
           &GetPageLink($userName) . ') ';
   } else {
-    print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink()), ') ';
+    print ' (', Ts('Visit %s to set your user name.', &GetPrefsLink(), 1), ') ';
   }
   print $q->submit(-name=>'Preview', -value=>T('Preview')), "\n";
   if ($isConflict) {

See /XssFixTalk for discussion of this patch. --CliffordAdams


UseModWiki | WikiPatches | RecentChanges | Preferences
Edit text of this page | View other revisions | Search MetaWiki
Last edited November 6, 2007 11:50 pm by MarkusLude (diff)
Search: