This is an automated email from the ASF dual-hosted git repository.
brushed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/jspwiki.git
The following commit(s) were added to refs/heads/master by this push:
new 874c7e8 2.11.0-M4-git-06 [JSPWIKI-1107] Fixing file upload XSS
vulnerability
874c7e8 is described below
commit 874c7e89201b50d0eb992ab42a39966767836e33
Author: brushed <[email protected]>
AuthorDate: Thu Apr 25 21:34:50 2019 +0200
2.11.0-M4-git-06 [JSPWIKI-1107] Fixing file upload XSS vulnerability
---
ChangeLog | 7 +++++++
jspwiki-main/src/main/java/org/apache/wiki/Release.java | 2 +-
jspwiki-war/src/main/scripts/moo-extend/Form.File.js | 2 +-
jspwiki-war/src/main/scripts/moo-extend/Request.File.js | 5 +++--
4 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index f178c42..d2873dc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,13 @@
* 2.11.0-M4-git-06
+ * [JSPWIKI-1107] uploading attachments with illegal filename causes XSS
vulnerability
+ Fixing file upload vulnerability.
+
+2019-04-23 Dirk Frederickx (brushed AT apache DOT org)
+
+ * 2.11.0-M4-git-06
+
* [JSPWIKI-1109] ReferredPagesPlugin with illegal characters in
parameters
causes XSS vulnerability
diff --git a/jspwiki-main/src/main/java/org/apache/wiki/Release.java
b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
index 6e288d6..e3192ce 100644
--- a/jspwiki-main/src/main/java/org/apache/wiki/Release.java
+++ b/jspwiki-main/src/main/java/org/apache/wiki/Release.java
@@ -72,7 +72,7 @@ public final class Release {
* <p>
* If the build identifier is empty, it is not added.
*/
- public static final String BUILD = "06";
+ public static final String BUILD = "07";
/**
* This is the generic version string you should use when printing out
the version. It is of
diff --git a/jspwiki-war/src/main/scripts/moo-extend/Form.File.js
b/jspwiki-war/src/main/scripts/moo-extend/Form.File.js
index 4dc34e5..8511ce8 100755
--- a/jspwiki-war/src/main/scripts/moo-extend/Form.File.js
+++ b/jspwiki-war/src/main/scripts/moo-extend/Form.File.js
@@ -201,7 +201,7 @@ Form.File = new Class({
for( var i=0; i< input.files.length; i++){
var file = input.files[i];
fileNames += (i > 0 ? "<br />" : "")
- + file.name.replace(/.*[\\\/]/, "")
+ + file.name.replace(/.*[\\\/]/, "").escapeHtml()
+ " <span class='badge'>" + readableFileSize(
file.size )+ "</span>";
}
diff --git a/jspwiki-war/src/main/scripts/moo-extend/Request.File.js
b/jspwiki-war/src/main/scripts/moo-extend/Request.File.js
index a3d851c..20980b1 100755
--- a/jspwiki-war/src/main/scripts/moo-extend/Request.File.js
+++ b/jspwiki-war/src/main/scripts/moo-extend/Request.File.js
@@ -57,13 +57,14 @@ Request.File = new Class({
xhr.open('POST', this.options.url, true);
xhr.onreadystatechange = this.onStateChange.bind(this);
- Object.each(this.headers, function(value, key){
+ for(var key in this.headers){
+ var value = this.headers[key];
try {
xhr.setRequestHeader(key, value);
} catch (e){
this.fireEvent('exception', [key, value]);
}
- }, this);
+ }
this.fireEvent('request');
xhr.send(this.formData);
