Subject: planet: [CVE-2009-2937] - Insufficient escaping of input feeds Package: planet Justification: user security hole Severity: grave Tags: security
*** Please type your report below this line *** The planet feed aggregator attempts to remove malicious content from user-submitted feeds. It does a great job, but fails to sanitize this input: <img src="javascript:alert(1);" > At least Opera will execute this code. The packages in Etch and Lenny are vulnerable and should require a security update. Fixed packages are available from: http://www.steve.org.uk/tmp/planet/etch/ + http://www.steve.org.uk/tmp/planet/lenny/ This is the patch I used: --- planet-2.0.orig/planet/sanitize.py +++ planet-2.0/planet/sanitize.py @@ -70,6 +70,12 @@ # utility method to be called by descendants attrs = [(k.lower(), v) for k, v in attrs] attrs = [(k, k in ('rel', 'type') and v.lower() or v) for k, v in attrs] + + for i in xrange (len (attrs)): + k,v = attrs[i] + if (( k == "src" ) or ( k == "href" ) ) and (v.find("javascript:" ) <> -1 ): + del attrs[i] + return attrs def unknown_starttag(self, tag, attrs): -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org