[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 82c0cd6ae0ebefb3503c7bc2c8bf2e47b08f5698
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 82c0cd6ae0ebefb3503c7bc2c8bf2e47b08f5698 (commit) via df05a856cdc5044398284b1a8dc704b22dfca911 (commit) via 5ba9e6606e0a9666fb2bf83c68f1979f9dd2fbb2 (commit) via 8b33e596c470e9216bd4c7e61bf2bfc889ea6673 (commit) from e4d79ba496c7d5203e04df34bf59b827b79a2e0c (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 82c0cd6ae0ebefb3503c7bc2c8bf2e47b08f5698 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Aug 21 17:41:28 2013 +0200
core73: Add changes files from #10406.
commit df05a856cdc5044398284b1a8dc704b22dfca911 Merge: e4d79ba 5ba9e66 Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Aug 21 17:40:44 2013 +0200
Merge remote-tracking branch 'ms/xss' into next
commit 5ba9e6606e0a9666fb2bf83c68f1979f9dd2fbb2 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Aug 20 11:06:36 2013 +0200
proxylog.dat: Escape usernames.
Bug #10406.
commit 8b33e596c470e9216bd4c7e61bf2bfc889ea6673 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Aug 20 11:05:28 2013 +0200
header.pl: Create new escape function that uses HTML::Entities.
This partly replaces cleanhtml(), which is kept for backwards-compatibility and for a special case.
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/header.pl | 17 +++++++++-------- config/rootfiles/core/73/filelists/files | 2 ++ html/cgi-bin/logs.cgi/proxylog.dat | 3 ++- 3 files changed, 13 insertions(+), 9 deletions(-)
Difference in files: diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl index a7f209d..9129c68 100644 --- a/config/cfgroot/header.pl +++ b/config/cfgroot/header.pl @@ -12,6 +12,7 @@ package Header;
use CGI(); +use HTML::Entities(); use Socket; use Time::Local;
@@ -305,16 +306,16 @@ sub IpInSubnet return (($ip >= $start) && ($ip <= $end)); }
-sub cleanhtml -{ +sub escape($) { + my $s = shift; + return HTML::Entities::encode_entities($s); +} + +sub cleanhtml { my $outstring =$_[0]; $outstring =~ tr/,/ / if not defined $_[1] or $_[1] ne 'y'; - $outstring =~ s/&/&/g; - $outstring =~ s/'/'/g; - $outstring =~ s/"/"/g; #" This is just a workaround for the syntax highlighter - $outstring =~ s/</</g; - $outstring =~ s/>/>/g; - return $outstring; + + return escape($outstring); }
sub connectionstatus diff --git a/config/rootfiles/core/73/filelists/files b/config/rootfiles/core/73/filelists/files index 6a58766..42bb310 100644 --- a/config/rootfiles/core/73/filelists/files +++ b/config/rootfiles/core/73/filelists/files @@ -1,6 +1,8 @@ etc/system-release etc/issue +srv/web/ipfire/cgi-bin/logs.cgi/proxylog.dat srv/web/ipfire/html/redirect.cgi srv/web/ipfire/html/redirect-templates/ +var/ipfire/header.pl var/ipfire/langs var/ipfire/proxy/advanced/useragents diff --git a/html/cgi-bin/logs.cgi/proxylog.dat b/html/cgi-bin/logs.cgi/proxylog.dat index e529be0..da86f89 100644 --- a/html/cgi-bin/logs.cgi/proxylog.dat +++ b/html/cgi-bin/logs.cgi/proxylog.dat @@ -90,7 +90,7 @@ if ($ENV{'QUERY_STRING'} && $cgiparams{'ACTION'} ne $Lang::tr{'update'}) $cgiparams{'MONTH'} = $temp[1]; $cgiparams{'DAY'} = $temp[2]; $cgiparams{'SOURCE_IP'} = $temp[3]; - $cgiparams{'USERNAME'} = $temp[4]; + $cgiparams{'USERNAME'} = &Header::escape($temp[4]); }
if (!($cgiparams{'MONTH'} =~ /^(0|1|2|3|4|5|6|7|8|9|10|11)$/) || @@ -383,6 +383,7 @@ print <<END END ; foreach my $so (sort keys %users) { + $so = &Header::escape($so); print "<option value='$so' $selected{'USERNAME'}{$so}>$so</option>\n"; } print <<END </select>
hooks/post-receive -- IPFire 2.x development tree
-
git@ipfire.org