Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F34612169
0001-SECURITY-Fix-XSS-via-User-agent-or-XFF-header-on-vot.patch
Legoktm (Legoktm)
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Authored By
Legoktm
Aug 20 2021, 10:43 PM
2021-08-20 22:43:53 (UTC+0)
Size
2 KB
Referenced Files
None
Subscribers
None
0001-SECURITY-Fix-XSS-via-User-agent-or-XFF-header-on-vot.patch
View Options
From 6bb390528d1aed4869d2ba90ae3fe24e22acce1c Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 20 Aug 2021 15:42:38 -0700
Subject: [PATCH] SECURITY: Fix XSS via User-agent or XFF header on voter list
The return type of ListPager::formatValue() is expected to be escaped
HTML, but these values were not being escaped.
Bug: T289385
Change-Id: I8dd600cdc7e4b57492d50a5b4c4f0ad5e1c2a8ef
---
includes/Pages/ListPager.php | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/includes/Pages/ListPager.php b/includes/Pages/ListPager.php
index f85b44f..e26fc9c 100644
--- a/includes/Pages/ListPager.php
+++ b/includes/Pages/ListPager.php
@@ -84,9 +84,9 @@ class ListPager extends TablePager {
switch ( $name ) {
case 'vote_timestamp':
if ( $this->isAdmin ) {
- return $this->getLanguage()->timeanddate( $value );
+ return htmlspecialchars( $this->getLanguage()->timeanddate( $value ) );
} else {
- return $this->getLanguage()->date( $value );
+ return htmlspecialchars( $this->getLanguage()->date( $value ) );
}
case 'vote_ip':
if ( $this->election->endDate < wfTimestamp(
@@ -106,7 +106,7 @@ class ListPager extends TablePager {
) {
return '';
} else {
- return $value;
+ return htmlspecialchars( $value );
}
case 'vote_xff':
if ( $this->election->endDate < wfTimestamp(
@@ -116,20 +116,20 @@ class ListPager extends TablePager {
) {
return '';
} else {
- return $value;
+ return htmlspecialchars( $value );
}
case 'vote_cookie_dup':
$value = !$value;
if ( $value ) {
return '';
} else {
- return $this->msg( 'securepoll-vote-duplicate' )->text();
+ return $this->msg( 'securepoll-vote-duplicate' )->escaped();
}
case 'vote_token_match':
if ( $value ) {
return '';
} else {
- return $this->msg( 'securepoll-vote-csrf' )->text();
+ return $this->msg( 'securepoll-vote-csrf' )->escaped();
}
case 'details':
$voteId = intval( $this->mCurrentRow->vote_id );
--
2.31.1
File Metadata
Details
Attached
Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
9162431
Default Alt Text
0001-SECURITY-Fix-XSS-via-User-agent-or-XFF-header-on-vot.patch (2 KB)
Attached To
Mode
T289385: Modified HTTP headers allow XSS in SecurePoll (CVE-2021-42045)
Attached
Detach File
Event Timeline
Log In to Comment