• Do not register here on develop.twiki.org, login with your twiki.org account.
• Use View topic Item7848 for generic doc work for TWiki-6.1.1. Use View topic Item7851 for doc work on extensions that are not part of a release. More... Close
• Anything you create or change in standard webs (Main, TWiki, Sandbox etc) will be automatically reverted on every SVN update.
Does this site look broken?. Use the LitterTray web for test cases.

Item7595: Security Alert CVE-2014-9325: XSS Vulnerability with QUERYSTRING and QUERYPARAMSTRING Variables

Item Form Data

AppliesTo: Component: Priority: CurrentState: WaitingFor: TargetRelease ReleasedIn
Engine   Normal Closed   patch 6.0.2

Edit Form Data

Summary:
Reported By:
Codebase:
Applies To:
Component:
Priority:
Current State:
Waiting For:
Target Release:
Released In:
 

Detail

Security alert:

Patches:


--- TWiki.pm   (revision 28488)
+++ TWiki.pm   (working copy)
@@ -4803,7 +4803,10 @@
 
 sub QUERYSTRING {
     my $this = shift;
-    return $this->{request}->queryString();
+    my $qs = $this->{request}->queryString();
+    # Item7595: Sanitize QUERYSTRING
+    $qs =~ s/(['\/<>])/'%'.sprintf('%02x', ord($1))/ge;
+    return $qs;
 }
 
 sub QUERYPARAMS {

--- TWiki/UI/View.pm   (revision 28488)
+++ TWiki/UI/View.pm   (working copy)
@@ -349,8 +349,14 @@
       next if ($name eq 'topic');
       push @qparams, $name => $query->param($name);
     }
-    $tmpl =~ s/%QUERYPARAMSTRING%/TWiki::_make_params(1,@qparams)/geo;
 
+    if ( $tmpl =~ /%QUERYPARAMSTRING%/ ) {
+        my $qs = TWiki::_make_params( 1, @qparams );
+        # Item7595: Sanitize QUERYPARAMSTRING
+        $qs =~ s/(['\/<>])/'%'.sprintf('%02x', ord($1))/ge;
+        $tmpl =~ s/%QUERYPARAMSTRING%/$qs/go;
+    }
+
     # extract header and footer from the template, if there is a
     # %TEXT% tag marking the split point. The topic text is inserted
     # in place of the %TEXT% tag. The text before this tag is inserted

-- TWiki:Main/PeterThoeny - 2014-12-09

ItemTemplate
Summary Security Alert CVE-2014-9325: XSS Vulnerability with QUERYSTRING and QUERYPARAMSTRING Variables
ReportedBy TWiki:Main.PeterThoeny
Codebase ~twiki4, 6.0.1
SVN Range TWiki-6.0.1-trunk, Sun, 30 Nov 2014, build 28477
AppliesTo Engine
Component

Priority Normal
CurrentState Closed
WaitingFor

Checkins TWikirev:28489 TWikirev:28490 TWikirev:28491 TWikirev:28492
TargetRelease patch
ReleasedIn 6.0.2
Edit | Attach | Watch | Print version | History: r8 < r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r8 - 2016-01-22 - PeterThoeny
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback