From: Thomas Moschny <thm@fedoraproject.org>
Subject: [PATCH] t/cve-2012-0220
Apply changes from these commits:
commit fbfcea89f8e06426c73ab8ea369ca4cdc566db6f
Author: Joey Hess <joey@kitenet.net>
Date: Wed May 16 19:54:41 2012 -0400
meta: Security fix; add missing sanitization of author and authorurl. Thanks, Raúl Benencia
commit 18b0f2737b3f1478deff6e9c48217c6f22a576ea
Author: Joey Hess <joey@kitenet.net>
Date: Wed May 16 22:13:23 2012 -0400
ensure HTML::Entities is always loaded
(Worked ok in my tests w/o this, but not sure I tested every case,
and this is correct.)
Signed-off-by: Thomas Moschny <thm@fedoraproject.org>
---
IkiWiki/Plugin/meta.pm | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/IkiWiki/Plugin/meta.pm b/IkiWiki/Plugin/meta.pm
index 220fff9..38938ed 100644
--- a/IkiWiki/Plugin/meta.pm
+++ b/IkiWiki/Plugin/meta.pm
@@ -312,8 +312,9 @@ sub pagetemplate (@) {
$template->param(title_overridden => 1);
}
- foreach my $field (qw{author authorurl}) {
- $template->param($field => $pagestate{$page}{meta}{$field})
+ foreach my $field (qw{authorurl}) {
+ eval q{use HTML::Entities};
+ $template->param($field => HTML::Entities::encode_entities($pagestate{$page}{meta}{$field}))
if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
}
@@ -324,7 +325,7 @@ sub pagetemplate (@) {
}
}
- foreach my $field (qw{description}) {
+ foreach my $field (qw{description author}) {
eval q{use HTML::Entities};
$template->param($field => HTML::Entities::encode_numeric($pagestate{$page}{meta}{$field}))
if exists $pagestate{$page}{meta}{$field} && $template->query(name => $field);
--
tg: (5fd076e..) t/cve-2012-0220 (depends on: master)