Sorry, my debdiff was not created in the right way. This one looks better.
diff -Nru beets-2.2.0/debian/changelog beets-2.2.0/debian/changelog --- beets-2.2.0/debian/changelog 2025-04-13 23:38:58.000000000 +0200 +++ beets-2.2.0/debian/changelog 2026-05-14 19:51:52.000000000 +0200 @@ -1,3 +1,11 @@ +beets (2.2.0-3+deb13u1) UNRELEASED; urgency=medium + + * Add patch to fix xss vulnerability CVE-2026-42052 in web ui + (Closes: #1135779) + * Add patch with test for unsafe web ui input + + -- Pieter Lenaerts <[email protected]> Thu, 14 May 2026 19:51:52 +0200 + beets (2.2.0-3) unstable; urgency=medium [ Florent 'Skia' Jacquet ] diff -Nru beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input --- beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input 1970-01-01 01:00:00.000000000 +0100 +++ beets-2.2.0/debian/patches/add_unit_test_checking_unsafe_web_ui_input 2026-05-14 19:51:52.000000000 +0200 @@ -0,0 +1,100 @@ +From: Pieter Lenaerts <[email protected]> +Date: Sat, 9 May 2026 12:22:05 +0200 +Subject: Add unit test checking for unsafe input in web ui + +Forwarded: https://github.com/beetbox/beets/pull/6639 +--- + test/plugins/test_web_xss.py | 84 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 84 insertions(+) + create mode 100644 test/plugins/test_web_xss.py + +diff --git a/test/plugins/test_web_xss.py b/test/plugins/test_web_xss.py +new file mode 100644 +index 0000000..021122e +--- /dev/null ++++ b/test/plugins/test_web_xss.py +@@ -0,0 +1,84 @@ ++"""Tests for XSS vulnerability in the web plugin templates. ++ ++This test verifies that the Underscore.js templates in index.html use ++the escaping syntax (<%- %) instead of the non-escaping syntax (<%= %). ++ ++In Underscore.js 1.2.2 (used by beets): ++- <%= variable %> does NOT escape HTML (vulnerable to XSS) ++- <%- variable %> DOES escape HTML (safe) ++ ++The test checks the index.html template file served by Flask to ensure ++all user data interpolations in the Underscore.js templates use the escaping ++syntax. ++ ++Generated using mistral vibe, verified by Pieter Lenaerts <[email protected]> ++""" ++ ++import re ++ ++from beets.test.helper import ItemInDBTestCase ++from beetsplug import web ++ ++ ++class WebXSSTest(ItemInDBTestCase): ++ def setUp(self): ++ super().setUp() ++ web.app.config["TESTING"] = True ++ web.app.config["lib"] = self.lib ++ web.app.config["INCLUDE_PATHS"] = False ++ web.app.config["READONLY"] = True ++ self.client = web.app.test_client() ++ ++ def test_templates_use_escaping_syntax(self): ++ """Verify that all Underscore.js templates use <%- %> for escaping. ++ ++ This test requests the index.html page and checks that all ++ user data interpolations in the Underscore.js templates use ++ the escaping syntax (<%- %) rather than the non-escaping syntax (<%= %). ++ ++ Before the fix (with <%= %>), this test will fail. ++ After the fix (with <%- %>), this test will pass. ++ """ ++ # Request the index.html page ++ response = self.client.get("/") ++ html = response.data.decode("utf-8") ++ ++ # Extract the template scripts from the HTML ++ # The templates are in <script type="text/template"> blocks ++ template_pattern = r'<script type="text/template"[^>]*>(.*?)</script>' ++ templates = re.findall(template_pattern, html, re.DOTALL) ++ ++ # Combine all template content for checking ++ all_template_content = "\n".join(templates) ++ ++ # Check that no <%= %> (non-escaping) tags exist for user data ++ # We look for <%= followed by a variable name (word characters) ++ non_escaping_pattern = r'<%=\s*(\w+)\s*%>' ++ non_escaping_matches = re.findall(non_escaping_pattern, all_template_content) ++ ++ # List of fields that should be escaped (user-controlled data) ++ user_data_fields = [ ++ 'title', 'artist', 'album', 'year', 'track', 'tracktotal', ++ 'disc', 'disctotal', 'length', 'format', 'bitrate', ++ 'mb_trackid', 'id', 'lyrics', 'comments' ++ ] ++ ++ # Check if any user data fields are using non-escaping <%= %> ++ vulnerable_fields = [field for field in non_escaping_matches if field in user_data_fields] ++ ++ # If we found any user data fields using <%= %>, the templates are vulnerable ++ assert len(vulnerable_fields) == 0, ( ++ f"Found non-escaping <%= %> tags for user data fields: {vulnerable_fields}. " ++ f"These should use <%- %> for HTML escaping to prevent XSS." ++ ) ++ ++ # Also verify that escaping tags (<%- %>) are present for user data ++ escaping_pattern = r'<%-\s*(\w+)\s*%>' ++ escaping_matches = re.findall(escaping_pattern, all_template_content) ++ ++ # At least some user data fields should use escaping ++ safe_fields = [field for field in escaping_matches if field in user_data_fields] ++ assert len(safe_fields) > 0, ( ++ "No escaping <%- %> tags found for user data fields. " ++ "Templates should use <%- %> for HTML escaping." ++ ) diff -Nru beets-2.2.0/debian/patches/fix-ubuntu-s390x beets-2.2.0/debian/patches/fix-ubuntu-s390x --- beets-2.2.0/debian/patches/fix-ubuntu-s390x 2025-04-13 23:38:58.000000000 +0200 +++ beets-2.2.0/debian/patches/fix-ubuntu-s390x 2026-05-14 19:51:52.000000000 +0200 @@ -1,6 +1,9 @@ From: Florent 'Skia' Jacquet <[email protected]> Date: Fri, 4 Apr 2025 17:16:16 +0200 Subject: plugins/thumbnails: fix FFI with GIO on s390x +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit Using the correct function signature for g_file_new_for_path fixes the tests on s390x. @@ -41,7 +44,7 @@ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/beetsplug/thumbnails.py b/beetsplug/thumbnails.py -index 3f88248e00d1..44ffd12defa1 100644 +index 3f88248..44ffd12 100644 --- a/beetsplug/thumbnails.py +++ b/beetsplug/thumbnails.py @@ -246,7 +246,7 @@ class GioURI(URIGetter): @@ -54,7 +57,7 @@ self.libgio.g_file_get_uri.argtypes = [ctypes.c_void_p] diff --git a/test/plugins/test_thumbnails.py b/test/plugins/test_thumbnails.py -index 3eb36cd25732..00cd545d47f5 100644 +index 3eb36cd..00cd545 100644 --- a/test/plugins/test_thumbnails.py +++ b/test/plugins/test_thumbnails.py @@ -265,7 +265,10 @@ class ThumbnailsTest(BeetsTestCase): @@ -69,6 +72,3 @@ assert gio.uri(b"/foo") == "file:///foo" assert gio.uri(b"/foo!") == "file:///foo!" assert ( --- -2.48.1 - diff -Nru beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui --- beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 1970-01-01 01:00:00.000000000 +0100 +++ beets-2.2.0/debian/patches/fix_xss_by_using_escaped_template_tags_in_web_ui 2026-05-14 19:51:52.000000000 +0200 @@ -0,0 +1,82 @@ +From: Šarūnas Nejus https://github.com/snejus +Date: Sat, 9 May 2026 08:04:44 +0200 +Subject: Fix XSS by using escaped template tags in web UI + +Bug: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847 +Bug-Debian: https://bugs.debian.org/1135779 +Origin: backport, https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a +Forwarded: not-needed +--- + beetsplug/web/templates/index.html | 28 ++++++++++++++-------------- + 1 file changed, 14 insertions(+), 14 deletions(-) + +diff --git a/beetsplug/web/templates/index.html b/beetsplug/web/templates/index.html +index 0fdd46d..7b1e43f 100644 +--- a/beetsplug/web/templates/index.html ++++ b/beetsplug/web/templates/index.html +@@ -45,16 +45,16 @@ + + <!-- Templates. --> + <script type="text/template" id="item-entry-template"> +- <%= title %> ++ <%- title %> + <span class="playing">▶</span> + </script> + <script type="text/template" id="item-main-detail-template"> +- <span class="artist"><%= artist %></span> ++ <span class="artist"><%- artist %></span> + <span class="album"> +- <span class="albumtitle"><%= album %></span> +- <span class="year">(<%= year %>)</span> ++ <span class="albumtitle"><%- album %></span> ++ <span class="year">(<%- year %>)</span> + </span> +- <span class="title"><%= title %></span> ++ <span class="title"><%- title %></span> + + <button class="play">▶</button> + +@@ -63,34 +63,34 @@ + <script type="text/template" id="item-extra-detail-template"> + <dl> + <dt>Track</dt> +- <dd><%= track %>/<%= tracktotal %></dd> ++ <dd><%- track %>/<%- tracktotal %></dd> + <% if (disc) { %> + <dt>Disc</dt> +- <dd><%= disc %>/<%= disctotal %></dd> ++ <dd><%- disc %>/<%- disctotal %></dd> + <% } %> + <dt>Length</dt> +- <dd><%= timeFormat(length) %></dd> ++ <dd><%- timeFormat(length) %></dd> + <dt>Format</dt> +- <dd><%= format %></dd> ++ <dd><%- format %></dd> + <dt>Bitrate</dt> +- <dd><%= Math.round(bitrate/1000) %> kbps</dd> ++ <dd><%- Math.round(bitrate/1000) %> kbps</dd> + <% if (mb_trackid) { %> + <dt>MusicBrainz entry</dt> + <dd> +- <a target="_blank" href="http://musicbrainz.org/recording/<%= mb_trackid %>">view</a> ++ <a target="_blank" href="http://musicbrainz.org/recording/<%- mb_trackid %>">view</a> + </dd> + <% } %> + <dt>File</dt> + <dd> +- <a target="_blank" class="download" href="item/<%= id %>/file">download</a> ++ <a target="_blank" class="download" href="item/<%- id %>/file">download</a> + </dd> + <% if (lyrics) { %> + <dt>Lyrics</dt> +- <dd class="lyrics"><%= lyrics %></dd> ++ <dd class="lyrics"><%- lyrics %></dd> + <% } %> + <% if (comments) { %> + <dt>Comments</dt> +- <dd><%= comments %></dd> ++ <dd><%- comments %></dd> + <% } %> + </dl> + </script> diff -Nru beets-2.2.0/debian/patches/series beets-2.2.0/debian/patches/series --- beets-2.2.0/debian/patches/series 2025-04-13 23:38:58.000000000 +0200 +++ beets-2.2.0/debian/patches/series 2026-05-14 19:51:52.000000000 +0200 @@ -3,3 +3,5 @@ test-rsrc 2025-future fix-ubuntu-s390x +fix_xss_by_using_escaped_template_tags_in_web_ui +add_unit_test_checking_unsafe_web_ui_input
signature.asc
Description: PGP signature
