This is an automated email from the ASF dual-hosted git repository.

brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git


The following commit(s) were added to refs/heads/master by this push:
     new 874c7e8  2.11.0-M4-git-06  [JSPWIKI-1107]  Fixing file upload XSS 
vulnerability
874c7e8 is described below

commit 874c7e89201b50d0eb992ab42a39966767836e33
Author: brushed <[email protected]>
AuthorDate: Thu Apr 25 21:34:50 2019 +0200

    2.11.0-M4-git-06  [JSPWIKI-1107]  Fixing file upload XSS vulnerability
---
 ChangeLog                                               | 7 +++++++
 jspwiki-main/src/main/java/org/apache/wiki/Release.java | 2 +-
 jspwiki-war/src/main/scripts/moo-extend/Form.File.js    | 2 +-
 jspwiki-war/src/main/scripts/moo-extend/Request.File.js | 5 +++--
 4 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f178c42..d2873dc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,13 @@
 
        * 2.11.0-M4-git-06
 
+       * [JSPWIKI-1107] uploading attachments with illegal filename causes XSS 
vulnerability
+         Fixing file upload vulnerability.
+
+2019-04-23  Dirk Frederickx (brushed AT apache DOT org)
+
+       * 2.11.0-M4-git-06
+
        * [JSPWIKI-1109] ReferredPagesPlugin with illegal characters in 
parameters
          causes XSS vulnerability
 
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/Release.java 
b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
index 6e288d6..e3192ce 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/Release.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
@@ -72,7 +72,7 @@ public final class Release {
      *  <p>
      *  If the build identifier is empty, it is not added.
      */
-    public static final String     BUILD         = "06";
+    public static final String     BUILD         = "07";
 
     /**
      *  This is the generic version string you should use when printing out 
the version.  It is of
diff --git a/jspwiki-war/src/main/scripts/moo-extend/Form.File.js 
b/jspwiki-war/src/main/scripts/moo-extend/Form.File.js
index 4dc34e5..8511ce8 100755
--- a/jspwiki-war/src/main/scripts/moo-extend/Form.File.js
+++ b/jspwiki-war/src/main/scripts/moo-extend/Form.File.js
@@ -201,7 +201,7 @@ Form.File = new Class({
                 for( var i=0; i< input.files.length; i++){
                     var file = input.files[i];
                     fileNames += (i > 0 ? "<br />" : "")
-                              +  file.name.replace(/.*[\\\/]/, "")
+                              +  file.name.replace(/.*[\\\/]/, "").escapeHtml()
                               + " <span class='badge'>" + readableFileSize( 
file.size )+ "</span>";
                 }
 
diff --git a/jspwiki-war/src/main/scripts/moo-extend/Request.File.js 
b/jspwiki-war/src/main/scripts/moo-extend/Request.File.js
index a3d851c..20980b1 100755
--- a/jspwiki-war/src/main/scripts/moo-extend/Request.File.js
+++ b/jspwiki-war/src/main/scripts/moo-extend/Request.File.js
@@ -57,13 +57,14 @@ Request.File = new Class({
         xhr.open('POST', this.options.url, true);
         xhr.onreadystatechange = this.onStateChange.bind(this);
 
-        Object.each(this.headers, function(value, key){
+        for(var key in this.headers){
+            var value = this.headers[key];
             try {
                 xhr.setRequestHeader(key, value);
             } catch (e){
                 this.fireEvent('exception', [key, value]);
             }
-        }, this);
+        }
 
         this.fireEvent('request');
         xhr.send(this.formData);

Reply via email to