[webkit-changes] [201097] trunk/Websites/bugs.webkit.org

[ddkilzer]

Title: [201097] trunk/Websites/bugs.webkit.org

Revision

201097

Author

ddkil...@apple.com

Date

2016-05-18 13:21:31 -0700 (Wed, 18 May 2016)

Log Message

CVE-2016-2803: [SECURITY] XSS vulnerability in dependency graphs via bug summary
<https://bugzilla.mozilla.org/show_bug.cgi?id=1253263>

Merge Bugzilla upstream master dd61903154fd363fb4e763d60aa155a507c2c3fc.

* showdependencygraph.cgi:
(CreateImagemap): Fix XSS vulnerability.

Modified Paths

• trunk/Websites/bugs.webkit.org/ChangeLog
• trunk/Websites/bugs.webkit.org/showdependencygraph.cgi

Diff

Modified: trunk/Websites/bugs.webkit.org/ChangeLog (201096 => 201097)

--- trunk/Websites/bugs.webkit.org/ChangeLog	2016-05-18 20:01:19 UTC (rev 201096)
+++ trunk/Websites/bugs.webkit.org/ChangeLog	2016-05-18 20:21:31 UTC (rev 201097)
@@ -1,3 +1,13 @@
+2016-05-18  David Kilzer  <ddkil...@apple.com>
+
+        CVE-2016-2803: [SECURITY] XSS vulnerability in dependency graphs via bug summary
+        <https://bugzilla.mozilla.org/show_bug.cgi?id=1253263>
+
+        Merge Bugzilla upstream master dd61903154fd363fb4e763d60aa155a507c2c3fc.
+
+        * showdependencygraph.cgi:
+        (CreateImagemap): Fix XSS vulnerability.
+
 2016-05-05  David Kilzer  <ddkil...@apple.com>
 
         bugs.webkit.org: "See Also" field should support Chromium bugs

Modified: trunk/Websites/bugs.webkit.org/showdependencygraph.cgi (201096 => 201097)

--- trunk/Websites/bugs.webkit.org/showdependencygraph.cgi	2016-05-18 20:01:19 UTC (rev 201096)
+++ trunk/Websites/bugs.webkit.org/showdependencygraph.cgi	2016-05-18 20:21:31 UTC (rev 201097)
@@ -67,13 +67,19 @@
             $default = qq{<area alt="" shape="default" href=""
         }
 
-        if ($line =~ /^rectangle \((.*),(.*)\) \((.*),(.*)\) (http[^ ]*) (\d+)(\\n.*)?$/) {
+        if ($line =~ /^rectangle \((\d+),(\d+)\) \((\d+),(\d+)\) (http[^ ]*) (\d+)(?:\\n.*)?$/) {
             my ($leftx, $rightx, $topy, $bottomy, $url, $bugid) = ($1, $3, $2, $4, $5, $6);
 
             # Pick up bugid from the mapdata label field. Getting the title from
             # bugtitle hash instead of mapdata allows us to get the summary even
             # when showsummary is off, and also gives us status and resolution.
+            # This text is safe; it has already been escaped.
             my $bugtitle = html_quote(clean_text($bugtitles{$bugid}));
+
+            # The URL is supposed to be safe, because it's built manually.
+            # But in case someone manages to inject code, it's safer to escape it.
+            $url = ""
+
             $map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } .
                     qq{title="$bugtitle" href="" } .
                     qq{coords="$leftx,$topy,$rightx,$bottomy">\n};

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes