This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 9fae7ab32b1dacf9c6476e9733f6ebe905343aa8 (commit) via 2a0d7a03d7df63806dc37b93ea10a93c2da4e4ea (commit) from c847846c4cae4962b94dac3be871be5f9d0461b7 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 9fae7ab32b1dacf9c6476e9733f6ebe905343aa8 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed May 24 08:22:56 2023 +0000
core175: Ship updated clwarn.cgi
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 2a0d7a03d7df63806dc37b93ea10a93c2da4e4ea Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Oct 24 15:57:56 2022 +0100
clwarn.cgi: Remove XSS
Fixes: #12966 Fixes: CVE-2022-44392 Reported-by: Arthur Naullet arthur.naullet@epita.fr Reported-by: Rafael Lima isec-researcher@protonmail.com Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/175/filelists/files | 1 + html/html/clwarn.cgi | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-)
Difference in files: diff --git a/config/rootfiles/core/175/filelists/files b/config/rootfiles/core/175/filelists/files index 01a32e672..7cbed4a21 100644 --- a/config/rootfiles/core/175/filelists/files +++ b/config/rootfiles/core/175/filelists/files @@ -85,6 +85,7 @@ lib/firmware/rtw89/rtw8852b_fw-1.bin srv/web/ipfire/cgi-bin/backup.cgi srv/web/ipfire/cgi-bin/logs.cgi/log.dat srv/web/ipfire/cgi-bin/ovpnmain.cgi +srv/web/ipfire/html/clwarn.cgi srv/web/ipfire/html/images/openvpn_encrypted.png usr/lib/dracut/dracut.conf.d/ipfire.conf usr/lib/firewall/rules.pl diff --git a/html/html/clwarn.cgi b/html/html/clwarn.cgi index 44f7f98ab..c7a415cdb 100644 --- a/html/html/clwarn.cgi +++ b/html/html/clwarn.cgi @@ -20,6 +20,7 @@ ###############################################################################
use CGI qw(param); +use HTML::Entities();
# enable only the following on debugging purpose use warnings; @@ -30,11 +31,11 @@ $swroot="/var/ipfire";
my $TITLE_VIRUS = "SquidClamAv Virus detection";
-my $url = param('url') || ''; -my $virus = param('virus') || ''; -my $source = param('source') || ''; +my $url = &HTML::Entities::encode_entities(param('url') || ''); +my $virus = &HTML::Entities::encode_entities(param('virus') || ''); +my $source = &HTML::Entities::encode_entities(param('source') || ''); $source =~ s//-//; -my $user = param('user') || ''; +my $user = &HTML::Entities::encode_entities(param('user') || '');
# Remove clamd infos
hooks/post-receive -- IPFire 2.x development tree