From 5bb59d7c9c74ddce500f9b427a504501d3d7efaa Mon Sep 17 00:00:00 2001 From: Athmane Madjoudj Date: Nov 16 2012 14:08:02 +0000 Subject: Fix some XSS issues --- diff --git a/sticky-notes-fix-project-xss.patch b/sticky-notes-fix-project-xss.patch new file mode 100644 index 0000000..f5a80cc --- /dev/null +++ b/sticky-notes-fix-project-xss.patch @@ -0,0 +1,19 @@ +--- init.php.orig 2012-11-16 14:02:47.737621181 -0100 ++++ init.php 2012-11-16 14:03:49.680340099 -0100 +@@ -67,11 +67,11 @@ + unset($url); + } + +-// Change project name to lower case +-if (isset($_GET['project'])) $_GET['project'] = strtolower($_GET['project']); +-if (isset($_POST['project'])) $_POST['project'] = strtolower($_POST['project']); +-if (isset($_GET['paste_project'])) $_GET['paste_project'] = strtolower($_GET['paste_project']); +-if (isset($_POST['paste_project'])) $_POST['paste_project'] = strtolower($_POST['paste_project']); ++// Change project name to lower case and escape it ++if (isset($_GET['project'])) $_GET['project'] = htmlspecialchars(strtolower($_GET['project'])); ++if (isset($_POST['project'])) $_POST['project'] = htmlspecialchars(strtolower($_POST['project'])); ++if (isset($_GET['paste_project'])) $_GET['paste_project'] = htmlspecialchars(strtolower($_GET['paste_project'])); ++if (isset($_POST['paste_project'])) $_POST['paste_project'] = htmlspecialchars(strtolower($_POST['paste_project'])); + + // Set up the db connection + $db->connect(); diff --git a/sticky-notes.spec b/sticky-notes.spec index 7a0bae6..27487ae 100644 --- a/sticky-notes.spec +++ b/sticky-notes.spec @@ -1,7 +1,7 @@ Summary: Sticky notes is a free and open source paste-bin application Name: sticky-notes Version: 0.3.09062012.4 -Release: 9%{?dist} +Release: 10%{?dist} License: BSD Group: Applications/Internet URL: http://gitorious.org/sticky-notes @@ -17,6 +17,7 @@ Patch0: sticky-notes-unbundle-php-geshi.patch # https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2 Patch1: sticky-notes-fix-login-username-xss.patch Patch2: sticky-notes-fix-rss-uri-with-proxy.patch +Patch3: sticky-notes-fix-project-xss.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildArch: noarch Requires: httpd @@ -30,6 +31,7 @@ Sticky notes is a free and open source paste-bin application. %patch0 -p0 %patch1 -p0 %patch2 -p1 +%patch3 -p0 %build %install @@ -71,6 +73,9 @@ ln -sf ../../../etc/sticky-notes/install.php ${RPM_BUILD_ROOT}%{_datadir}/%{name %doc VERSION %changelog +* Fri Nov 16 2012 Athmane Madjoudj 0.3.09062012.4-10 +- Fix some XSS issues. + * Tue Oct 30 2012 Athmane Madjoudj 0.3.09062012.4-9 - Make sticky-notes.conf compatible with both httpd 2.4.x and 2.2.x.