[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 82c0cd6ae0ebefb3503c7bc2c8bf2e47b08f5698

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 82c0cd6ae0ebefb3503c7bc2c8bf2e47b08f5698
@ 2013-08-21 15:41 git
  0 siblings, 0 replies; only message in thread
From: git @ 2013-08-21 15:41 UTC (permalink / raw)
  To: ipfire-scm

[-- Attachment #1: Type: text/plain, Size: 4273 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  82c0cd6ae0ebefb3503c7bc2c8bf2e47b08f5698 (commit)
       via  df05a856cdc5044398284b1a8dc704b22dfca911 (commit)
       via  5ba9e6606e0a9666fb2bf83c68f1979f9dd2fbb2 (commit)
       via  8b33e596c470e9216bd4c7e61bf2bfc889ea6673 (commit)
      from  e4d79ba496c7d5203e04df34bf59b827b79a2e0c (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 82c0cd6ae0ebefb3503c7bc2c8bf2e47b08f5698
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Aug 21 17:41:28 2013 +0200

    core73: Add changes files from #10406.

commit df05a856cdc5044398284b1a8dc704b22dfca911
Merge: e4d79ba 5ba9e66
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Wed Aug 21 17:40:44 2013 +0200

    Merge remote-tracking branch 'ms/xss' into next

commit 5ba9e6606e0a9666fb2bf83c68f1979f9dd2fbb2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Aug 20 11:06:36 2013 +0200

    proxylog.dat: Escape usernames.
    
    Bug #10406.

commit 8b33e596c470e9216bd4c7e61bf2bfc889ea6673
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Tue Aug 20 11:05:28 2013 +0200

    header.pl: Create new escape function that uses HTML::Entities.
    
    This partly replaces cleanhtml(), which is kept for
    backwards-compatibility and for a special case.

-----------------------------------------------------------------------

Summary of changes:
 config/cfgroot/header.pl                 | 17 +++++++++--------
 config/rootfiles/core/73/filelists/files |  2 ++
 html/cgi-bin/logs.cgi/proxylog.dat       |  3 ++-
 3 files changed, 13 insertions(+), 9 deletions(-)

Difference in files:
diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index a7f209d..9129c68 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -12,6 +12,7 @@
 package Header;
 
 use CGI();
+use HTML::Entities();
 use Socket;
 use Time::Local;
 
@@ -305,16 +306,16 @@ sub IpInSubnet
     return (($ip >= $start) && ($ip <= $end));
 }
 
-sub cleanhtml
-{
+sub escape($) {
+	my $s = shift;
+	return HTML::Entities::encode_entities($s);
+}
+
+sub cleanhtml {
 	my $outstring =$_[0];
 	$outstring =~ tr/,/ / if not defined $_[1] or $_[1] ne 'y';
-	$outstring =~ s/&/&amp;/g;
-	$outstring =~ s/\'/&#039;/g;
-	$outstring =~ s/\"/&quot;/g; #" This is just a workaround for the syntax highlighter
-	$outstring =~ s/</&lt;/g;
-	$outstring =~ s/>/&gt;/g;
-	return $outstring;
+
+	return escape($outstring);
 }
 
 sub connectionstatus
diff --git a/config/rootfiles/core/73/filelists/files b/config/rootfiles/core/73/filelists/files
index 6a58766..42bb310 100644
--- a/config/rootfiles/core/73/filelists/files
+++ b/config/rootfiles/core/73/filelists/files
@@ -1,6 +1,8 @@
 etc/system-release
 etc/issue
+srv/web/ipfire/cgi-bin/logs.cgi/proxylog.dat
 srv/web/ipfire/html/redirect.cgi
 srv/web/ipfire/html/redirect-templates/
+var/ipfire/header.pl
 var/ipfire/langs
 var/ipfire/proxy/advanced/useragents
diff --git a/html/cgi-bin/logs.cgi/proxylog.dat b/html/cgi-bin/logs.cgi/proxylog.dat
index e529be0..da86f89 100644
--- a/html/cgi-bin/logs.cgi/proxylog.dat
+++ b/html/cgi-bin/logs.cgi/proxylog.dat
@@ -90,7 +90,7 @@ if ($ENV{'QUERY_STRING'} && $cgiparams{'ACTION'} ne $Lang::tr{'update'})
  	$cgiparams{'MONTH'} = $temp[1];
  	$cgiparams{'DAY'} = $temp[2];  
 	$cgiparams{'SOURCE_IP'} = $temp[3];
-	$cgiparams{'USERNAME'} = $temp[4];
+	$cgiparams{'USERNAME'} = &Header::escape($temp[4]);
 }
 
 if (!($cgiparams{'MONTH'} =~ /^(0|1|2|3|4|5|6|7|8|9|10|11)$/) ||
@@ -383,6 +383,7 @@ print <<END
 END
 ;
 foreach my $so (sort keys %users) {
+	$so = &Header::escape($so);
 	print "<option value='$so' $selected{'USERNAME'}{$so}>$so</option>\n"; }
 print <<END
 	</select>


hooks/post-receive
--
IPFire 2.x development tree

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2013-08-21 15:41 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-08-21 15:41 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 82c0cd6ae0ebefb3503c7bc2c8bf2e47b08f5698 git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox