Fixes cross-site scripting vulnerability caused by several cases of unescaped message title and member full name leaking to HTML output. diff -urN samizdat-0.6.1-orig/lib/samizdat/components/resource.rb samizdat-0.6.1-xss/lib/samizdat/components/resource.rb --- samizdat-0.6.1-orig/lib/samizdat/components/resource.rb 2008-02-25 16:25:09.000000000 +0200 +++ samizdat-0.6.1-xss/lib/samizdat/components/resource.rb 2009-02-02 15:57:37.000000000 +0200 @@ -129,13 +129,13 @@ # resource title (HTML-escaped) # def title - CGI.escapeHTML(limit_string(@title.to_s)) + escape_title(@title.to_s) end # render resource as a list item # def list_item - resource(@id, @title, info) + resource(@id, title, info) end # short rendering of the resource @@ -242,7 +242,7 @@ def list_item if @message.nrelated > 0 - resource(@id, Focus.focus_title(@title), info) + resource(@id, Focus.focus_title(title), info) else super end @@ -325,7 +325,7 @@ body << '

' << sprintf( _('Account blocked by moderator: %s.'), - resource_href(blocked_by, CGI.escapeHTML(b_name)) + resource_href(blocked_by, escape_title(b_name)) ) << '

' end end @@ -413,7 +413,7 @@ (s::fullName ?member ?name) (s::voteRating #{@id} ?rating)} @info = sprintf(_('%s gave rating %4.2f to the Statement %s on %s.'), - @member, name, rating, @stmt, @stmt, format_date(date).to_s) + @member, escape_title(name), rating, @stmt, @stmt, format_date(date).to_s) @links['made'] = @member end diff -urN samizdat-0.6.1-orig/lib/samizdat/controllers/message_controller.rb samizdat-0.6.1-xss/lib/samizdat/controllers/message_controller.rb --- samizdat-0.6.1-orig/lib/samizdat/controllers/message_controller.rb 2008-02-25 13:49:18.000000000 +0200 +++ samizdat-0.6.1-xss/lib/samizdat/controllers/message_controller.rb 2009-02-02 15:58:50.000000000 +0200 @@ -19,7 +19,7 @@ def source @message = Message.cached(@id) - @title = @message.content.title + @title = escape_title(@message.content.title) @content_for_layout = box(@title, form(nil, [:label, 'content', _('Content')], @@ -438,7 +438,7 @@ @title = _('Message Preview') @content_for_layout = box( - @message.content.title, + escape_title(@message.content.title), message(@message, :full) << cut_warning.to_s << '

' << _("Press 'Back' button to change the message.") << '

' << diff -urN samizdat-0.6.1-orig/lib/samizdat/controllers/resource_controller.rb samizdat-0.6.1-xss/lib/samizdat/controllers/resource_controller.rb --- samizdat-0.6.1-orig/lib/samizdat/controllers/resource_controller.rb 2008-02-23 00:38:10.000000000 +0200 +++ samizdat-0.6.1-xss/lib/samizdat/controllers/resource_controller.rb 2009-02-02 15:59:34.000000000 +0200 @@ -16,7 +16,8 @@ # special case: force untranslated title to go with full rendering of a message @title = ('Message' == @resource.type) ? - Message.cached(@id).content.title : @resource.title + escape_title(Message.cached(@id).content.title) : + @resource.title @links.update(@resource.links) end diff -urN samizdat-0.6.1-orig/lib/samizdat/engine/helpers.rb samizdat-0.6.1-xss/lib/samizdat/engine/helpers.rb --- samizdat-0.6.1-orig/lib/samizdat/engine/helpers.rb 2008-02-14 20:05:29.000000000 +0200 +++ samizdat-0.6.1-xss/lib/samizdat/engine/helpers.rb 2009-02-02 16:01:23.000000000 +0200 @@ -101,6 +101,12 @@ end end +# truncate _string_ to the title limit and escape HTML characters in it +# +def escape_title(string) + CGI.escapeHTML(limit_string(string)) +end + # transform date to a standard string representation # def format_date(date) diff -urN samizdat-0.6.1-orig/lib/samizdat/engine.rb samizdat-0.6.1-xss/lib/samizdat/engine.rb --- samizdat-0.6.1-orig/lib/samizdat/engine.rb 2008-03-04 15:30:17.000000000 +0200 +++ samizdat-0.6.1-xss/lib/samizdat/engine.rb 2009-02-02 16:00:36.000000000 +0200 @@ -38,7 +38,7 @@ # fix bug in standard cgi.rb def CGI::escapeHTML(string) - string.gsub(/&/n, '&').gsub(/\"/n, '"').gsub(/\'/n, ''').gsub(/>/n, '>').gsub(//n, '>').gsub(/#{message.creator.full_name}} + _('guest') : + %{#{escape_title(message.creator.full_name)}} date = format_date(message.date) if :full == mode