Bug#813573: Jessie patch

Mathieu Parent Thu, 04 Feb 2016 05:27:41 -0800

Here is the jessie debdiff.

-- 
Mathieu

From ce52fddc5bacf6a089ce777ccbde1b80b915d7e6 Mon Sep 17 00:00:00 2001
From: Mathieu Parent <math.par...@gmail.com>
Date: Thu, 4 Feb 2016 13:47:41 +0100
Subject: [PATCH] Fix XSS vulnerability in menu bar (Closes: #813573)


and release
---
 debian/changelog                                    |  6 ++++++
 .../0005-Fix-XSS-vulnerability-in-menu-bar.patch    | 21 +++++++++++++++++++++
 debian/patches/series                               |  1 +
 3 files changed, 28 insertions(+)
 create mode 100644 debian/patches/0005-Fix-XSS-vulnerability-in-menu-bar.patch

diff --git a/debian/changelog b/debian/changelog
index fdc10df..512c484 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+php-horde (5.2.1+debian0-2+deb8u3) jessie-security; urgency=high
+
+  * Fix XSS vulnerability in menu bar (Closes: #813573)
+
+ -- Mathieu Parent <sath...@debian.org>  Thu, 04 Feb 2016 13:46:39 +0100
+
 php-horde (5.2.1+debian0-2+deb8u2) jessie-security; urgency=high
 
   * Add session token checking to various admin pages (Closes: #803641)
diff --git a/debian/patches/0005-Fix-XSS-vulnerability-in-menu-bar.patch b/debian/patches/0005-Fix-XSS-vulnerability-in-menu-bar.patch
new file mode 100644
index 0000000..8d35066
--- /dev/null
+++ b/debian/patches/0005-Fix-XSS-vulnerability-in-menu-bar.patch
@@ -0,0 +1,21 @@
+From: Jan Schneider <j...@horde.org>
+Date: Wed, 6 Jan 2016 11:46:35 +0100
+Subject: [jan] SECURITY: Fix XSS vulnerability in menu bar exposed by
+ only a few applications (Bug #14213).
+
+
+(Adapted from upstream ab07a1b447de34e13983b4d7ceb18b58c3a358d8)
+
+diff --git a/horde-5.2.1/templates/topbar/_menubar.html.php b/horde-5.2.1/templates/topbar/_menubar.html.php
+index acb416c..df75623 100644
+--- a/horde-5.2.1/templates/topbar/_menubar.html.php
++++ b/horde-5.2.1/templates/topbar/_menubar.html.php
+@@ -23,7 +23,7 @@
+         <input autocomplete="off" id="horde-search-input" type="text" />
+       </div>
+ <?php else: ?>
+-      <input type="text" id="horde-search-input" name="searchfield" class="formGhost" title="<?php echo $this->searchLabel ?>" />
++      <input type="text" id="horde-search-input" name="searchfield" class="formGhost" title="<?php echo $this->h($this->searchLabel) ?>" />
+ <?php endif ?>
+       <input type="image" id="horde-search-icon" src="<?php echo $this->searchIcon ?>" />
+     </form>
diff --git a/debian/patches/series b/debian/patches/series
index 79d01fd..ac555f4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 0002-Fix-rewrite-base.patch
 0003-Fix-XSS-in-group-administration.patch
 0004-Add-session-token-checking-to-various-admin-pages.patch
+0005-Fix-XSS-vulnerability-in-menu-bar.patch
-- 
2.7.0

Bug#813573: Jessie patch

Reply via email to