tags 439337 patch thanks Hi
Attached you will find my NMU proposal for this bug. Please give some feedback, if you agree/dissagree with that patch. Maybe you want to do a MU for that, which would of course be great. If you do not have the time for that, I would also appreciate to get your approval for the NMU. In any case, a small feedback would be great :) Thanks for your efforts. Cheers Steffen
diff -u websvn-1.61/debian/patches/series websvn-1.61/debian/patches/series --- websvn-1.61/debian/patches/series +++ websvn-1.61/debian/patches/series @@ -3,0 +4 @@ +CVE-2007-3056.diff diff -u websvn-1.61/debian/changelog websvn-1.61/debian/changelog --- websvn-1.61/debian/changelog +++ websvn-1.61/debian/changelog @@ -1,3 +1,12 @@ +websvn (1.61-22.2) unstable; urgency=high + + * Non-maintainer upload by the testing-security team + * Include CVE-2007-3056.diff to fix Cross-site scripting (XSS) + vulnerability in filedetails.php (Closes: #439337) + Fixes: CVE-2007-3056 + + -- Steffen Joeris <[EMAIL PROTECTED]> Mon, 03 Sep 2007 13:46:20 +0000 + websvn (1.61-22.1) unstable; urgency=high * Non-maintainer upload during BSP. only in patch2: unchanged: --- websvn-1.61.orig/debian/patches/CVE-2007-3056.diff +++ websvn-1.61/debian/patches/CVE-2007-3056.diff @@ -0,0 +1,22 @@ +--- filedetails.php.orig 2007-09-03 13:44:37.000000000 +0000 ++++ websvn-1.61/filedetails.php 2007-09-03 13:45:29.000000000 +0000 +@@ -127,9 +127,9 @@ + $vars["goyoungestlink"] = ""; + + $vars["action"] = ""; +-$vars["repname"] = $rep->name; +-$vars["rev"] = $rev; +-$vars["path"] = $ppath; ++$vars["repname"] = htmlentities($rep->getDisplayName(), ENT_QUOTES, 'UTF-8'); ++$vars["rev"] = htmlentities($rev, ENT_QUOTES, 'UTF-8'); ++$vars["path"] = htmlentities($ppath, ENT_QUOTES, 'UTF-8'); + + createDirLinks($rep, $ppath, $passrev, $showchanged); + +@@ -145,4 +145,4 @@ + parseTemplate($config->templatePath."header.tmpl", $vars, $listing); + parseTemplate($config->templatePath."file.tmpl", $vars, $listing); + parseTemplate($config->templatePath."footer.tmpl", $vars, $listing); +-?> +\ No newline at end of file ++?>
signature.asc
Description: This is a digitally signed message part.

