Bug#1036279: XSS in RSS syntax

[Axel Beckert]

Hi Moritz,

Moritz Muehlenhoff wrote:
> Severity: grave

Thanks for the severity assessment by the security team. I wasn't
really sure if this is RC or "just important".

I've had a look at the new upstream tar balls, but the diff is
unfortunately huge:

$ tardiff dokuwiki-2022-07-31{a,b}.tgz
- composer.json
- composer.lock
- data/pages/playground
- data/pages/playground/playground.txt
- lib/plugins/authpdo/_test
- lib/plugins/authpdo/_test/mysql
- lib/plugins/authpdo/_test/mysql.test.php
- lib/plugins/authpdo/_test/mysql/fluxbb.php
- lib/plugins/authpdo/_test/mysql/fluxbb.sql
- lib/plugins/authpdo/_test/mysql/mybb.php
- lib/plugins/authpdo/_test/mysql/mybb.sql
- lib/plugins/authpdo/_test/mysql/wordpress.php
- lib/plugins/authpdo/_test/mysql/wordpress.sql
- lib/plugins/authpdo/_test/pgsql
- lib/plugins/authpdo/_test/pgsql.test.php
- lib/plugins/authpdo/_test/pgsql/django.php
- lib/plugins/authpdo/_test/pgsql/django.sql
- lib/plugins/authpdo/_test/sqlite.test.php
- lib/plugins/authpdo/_test/test.sqlite3
- lib/plugins/authplain/_test
- lib/plugins/authplain/_test/conf
- lib/plugins/authplain/_test/conf/auth.users.php
- lib/plugins/authplain/_test/escaping.test.php
- lib/plugins/authplain/_test/userdata.test.php
- lib/plugins/config/_test
- lib/plugins/config/_test/ConfigParserTest.php
- lib/plugins/config/_test/DocumentationTest.php
- lib/plugins/config/_test/LoaderExtraDefaultsTest.php
- lib/plugins/config/_test/LoaderTest.php
- lib/plugins/config/_test/Setting
- lib/plugins/config/_test/Setting/AbstractSettingTest.php
- lib/plugins/config/_test/Setting/SettingArrayTest.php
- lib/plugins/config/_test/Setting/SettingNumericTest.php
- lib/plugins/config/_test/Setting/SettingNumericoptTest.php
- lib/plugins/config/_test/Setting/SettingOnoffTest.php
- lib/plugins/config/_test/Setting/SettingStringTest.php
- lib/plugins/config/_test/Setting/SettingTest.php
- lib/plugins/config/_test/WriterTest.php
- lib/plugins/config/_test/data
- lib/plugins/config/_test/data/config.php
- lib/plugins/config/_test/data/metadata.php
- lib/plugins/extension/_test
- lib/plugins/extension/_test/extension.test.php
- lib/plugins/extension/_test/testdata
- lib/plugins/extension/_test/testdata/either1
- lib/plugins/extension/_test/testdata/either1/script.js
- lib/plugins/extension/_test/testdata/eithersub2
- lib/plugins/extension/_test/testdata/eithersub2/either2
- lib/plugins/extension/_test/testdata/eithersub2/either2/script.js
- lib/plugins/extension/_test/testdata/plgfoo5
- lib/plugins/extension/_test/testdata/plgfoo5/plugin.info.txt
- lib/plugins/extension/_test/testdata/plgsub3
- lib/plugins/extension/_test/testdata/plgsub3/plugin3
- lib/plugins/extension/_test/testdata/plgsub3/plugin3/syntax.php
- lib/plugins/extension/_test/testdata/plgsub4
- lib/plugins/extension/_test/testdata/plgsub4/plugin4
- lib/plugins/extension/_test/testdata/plgsub4/plugin4/plugin.info.txt
- lib/plugins/extension/_test/testdata/plgsub6
- lib/plugins/extension/_test/testdata/plgsub6/plgfoo6
- lib/plugins/extension/_test/testdata/plgsub6/plgfoo6/plugin.info.txt
- lib/plugins/extension/_test/testdata/plugin1
- lib/plugins/extension/_test/testdata/plugin1/syntax.php
- lib/plugins/extension/_test/testdata/plugin2
- lib/plugins/extension/_test/testdata/plugin2/plugin.info.txt
- lib/plugins/extension/_test/testdata/template1
- lib/plugins/extension/_test/testdata/template1/main.php
- lib/plugins/extension/_test/testdata/template1/style.ini
- lib/plugins/extension/_test/testdata/template2
- lib/plugins/extension/_test/testdata/template2/template.info.txt
- lib/plugins/extension/_test/testdata/tplfoo5
- lib/plugins/extension/_test/testdata/tplfoo5/template.info.txt
- lib/plugins/extension/_test/testdata/tplsub3
- lib/plugins/extension/_test/testdata/tplsub3/template3
- lib/plugins/extension/_test/testdata/tplsub3/template3/main.php
- lib/plugins/extension/_test/testdata/tplsub3/template3/style.ini
- lib/plugins/extension/_test/testdata/tplsub4
- lib/plugins/extension/_test/testdata/tplsub4/template4
- lib/plugins/extension/_test/testdata/tplsub4/template4/template.info.txt
- lib/plugins/extension/_test/testdata/tplsub6
- lib/plugins/extension/_test/testdata/tplsub6/tplfoo6
- lib/plugins/extension/_test/testdata/tplsub6/tplfoo6/template.info.txt
- lib/plugins/styling/.travis.yml
- lib/plugins/styling/_test
- lib/plugins/styling/_test/colors.test.php
- lib/plugins/styling/_test/general.test.php
- lib/plugins/testing
- lib/plugins/testing/_test
- lib/plugins/testing/_test/dummy_plugin_integration_test.test.php
- lib/plugins/testing/_test/dummy_plugin_test.test.php
- lib/plugins/testing/action.php
- lib/plugins/testing/conf
- lib/plugins/testing/conf/default.php
- lib/plugins/testing/conf/metadata.php
- lib/plugins/testing/lang
- lib/plugins/testing/lang/en
- lib/plugins/testing/lang/en/settings.php
- lib/plugins/testing/plugin.info.txt
- lib/plugins/usermanager/_test
- lib/plugins/usermanager/_test/csv_export.test.php
- lib/plugins/usermanager/_test/csv_import.test.php
- lib/plugins/usermanager/_test/mocks.class.php
- vendor/aziraphale/email-address-validator/.gitignore
- vendor/aziraphale/email-address-validator/composer.json
- vendor/geshi/geshi/.editorconfig
- vendor/geshi/geshi/.gitignore
- vendor/geshi/geshi/composer.json
- vendor/kissifrot/php-ixr/.editorconfig
- vendor/kissifrot/php-ixr/.gitignore
- vendor/kissifrot/php-ixr/composer.json
- vendor/marcusschwarz/lesserphp/.gitignore
- vendor/marcusschwarz/lesserphp/composer.json
- vendor/openpsa/universalfeedcreator/.editorconfig
- vendor/openpsa/universalfeedcreator/.gitattributes
- vendor/openpsa/universalfeedcreator/.gitignore
- vendor/openpsa/universalfeedcreator/composer.json
- vendor/phpseclib/phpseclib/appveyor.yml
- vendor/phpseclib/phpseclib/composer.json
- vendor/simplepie/simplepie/composer.json
- vendor/splitbrain/php-archive/.gitignore
- vendor/splitbrain/php-archive/composer.json
- vendor/splitbrain/php-cli/.gitignore
- vendor/splitbrain/php-cli/composer.json
- vendor/splitbrain/slika/.gitattributes
- vendor/splitbrain/slika/.gitignore
- vendor/splitbrain/slika/composer.json
- vendor/splitbrain/slika/composer.lock

🙄

So I'll likely just add the patch. I assume the release team is happier
that way, too.

P.S.:

> https://huntr.dev/bounties/c6119106-1a5c-464c-94dd-ee7c5d0bece0/

Do you know if this content behind this link will become public at
some time?

                Regards, Axel
-- 
 ,''`.  |  Axel Beckert <a...@debian.org>, https://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE