Page MenuHomePhabricator
Files F34612169

0001-SECURITY-Fix-XSS-via-User-agent-or-XFF-header-on-vot.patch
Legoktm (Legoktm)
Actions

Authored By
Legoktm
Aug 20 2021, 10:43 PM
Size
2 KB
Referenced Files
None
Subscribers
None

0001-SECURITY-Fix-XSS-via-User-agent-or-XFF-header-on-vot.patch
View Options

From 6bb390528d1aed4869d2ba90ae3fe24e22acce1c Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 20 Aug 2021 15:42:38 -0700
Subject: [PATCH] SECURITY: Fix XSS via User-agent or XFF header on voter list
The return type of ListPager::formatValue() is expected to be escaped
HTML, but these values were not being escaped.
Bug: T289385
Change-Id: I8dd600cdc7e4b57492d50a5b4c4f0ad5e1c2a8ef
---
includes/Pages/ListPager.php | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/includes/Pages/ListPager.php b/includes/Pages/ListPager.php
index f85b44f..e26fc9c 100644
--- a/includes/Pages/ListPager.php
+++ b/includes/Pages/ListPager.php
@@ -84,9 +84,9 @@ class ListPager extends TablePager {
switch ( $name ) {
case 'vote_timestamp':
if ( $this->isAdmin ) {
- return $this->getLanguage()->timeanddate( $value );
+ return htmlspecialchars( $this->getLanguage()->timeanddate( $value ) );
} else {
- return $this->getLanguage()->date( $value );
+ return htmlspecialchars( $this->getLanguage()->date( $value ) );
}
case 'vote_ip':
if ( $this->election->endDate < wfTimestamp(
@@ -106,7 +106,7 @@ class ListPager extends TablePager {
) {
return '';
} else {
- return $value;
+ return htmlspecialchars( $value );
}
case 'vote_xff':
if ( $this->election->endDate < wfTimestamp(
@@ -116,20 +116,20 @@ class ListPager extends TablePager {
) {
return '';
} else {
- return $value;
+ return htmlspecialchars( $value );
}
case 'vote_cookie_dup':
$value = !$value;
if ( $value ) {
return '';
} else {
- return $this->msg( 'securepoll-vote-duplicate' )->text();
+ return $this->msg( 'securepoll-vote-duplicate' )->escaped();
}
case 'vote_token_match':
if ( $value ) {
return '';
} else {
- return $this->msg( 'securepoll-vote-csrf' )->text();
+ return $this->msg( 'securepoll-vote-csrf' )->escaped();
}
case 'details':
$voteId = intval( $this->mCurrentRow->vote_id );
--
2.31.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9162431
Default Alt Text
0001-SECURITY-Fix-XSS-via-User-agent-or-XFF-header-on-vot.patch (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL