Bug#731797: ikiwiki: osm plugin does not correctly sanitize parameters

Mon, 09 Dec 2013 13:09:35 -0800 

Package: ikiwiki
Version: 3.20130904.1
Severity: normal
Tags: upstream

The osm plugin uses htmlscrubber (if enabled) to sanitize some parameters. In
my setup it is enabled, but it still does not correctly escape some fields. In
particular, the "name" parameter is included verbatim, breaking involuntarily
javascript when the name contains a single quote/apostrophe ('). This is
obviously also a security risk, as javascript code injection becomes trivial.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (50, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ikiwiki depends on:
ii  libhtml-parser-perl             3.71-1+b1
ii  libhtml-scrubber-perl           0.11-1
ii  libhtml-template-perl           2.95-1
ii  libjson-perl                    2.61-1
ii  libtext-markdown-discount-perl  0.10-1+b1
ii  liburi-perl                     1.60-1
ii  libyaml-libyaml-perl            0.41-1
ii  perl                            5.18.1-5

Versions of packages ikiwiki recommends:
ii  gcc [c-compiler]             4:4.8.1-3
ii  gcc-4.8 [c-compiler]         4.8.2-8
ii  git [git-core]               1:1.8.5.1-1
pn  libauthen-passphrase-perl    <none>
ii  libc6-dev [libc-dev]         2.17-97
pn  libcgi-formbuilder-perl      <none>
pn  libcgi-session-perl          <none>
pn  libcrypt-ssleay-perl         <none>
pn  libgravatar-url-perl         <none>
pn  liblwpx-paranoidagent-perl   <none>
pn  libmail-sendmail-perl        <none>
pn  libnet-openid-consumer-perl  <none>
pn  librpc-xml-perl              <none>
pn  libterm-readline-gnu-perl    <none>
ii  libtimedate-perl             2.3000-1
ii  libxml-simple-perl           2.20-1
ii  mercurial                    2.8.1-2
ii  subversion                   1.7.13-3

Versions of packages ikiwiki suggests:
pn  dvipng                      <none>
ii  file                        1:5.14-2
ii  gettext                     0.18.3.1-2
pn  graphviz                    <none>
pn  libfile-mimeinfo-perl       <none>
pn  libhighlight-perl           <none>
ii  libhtml-tree-perl           5.03-1
ii  liblocale-gettext-perl      1.05-7+b2
ii  libmailtools-perl           2.12-1
pn  libnet-amazon-s3-perl       <none>
pn  libnet-inet6glue-perl       <none>
pn  libsearch-xapian-perl       <none>
ii  libsort-naturally-perl      1.02-1
pn  libsparkline-php            <none>
pn  libtext-csv-perl            <none>
pn  libtext-multimarkdown-perl  <none>
pn  libtext-textile-perl        <none>
pn  libtext-typography-perl     <none>
pn  libtext-wikicreole-perl     <none>
pn  libtext-wikiformat-perl     <none>
pn  libxml-feed-perl            <none>
ii  libxml-writer-perl          0.623-1
pn  perlmagick                  <none>
pn  po4a                        <none>
pn  polygen                     <none>
ii  python                      2.7.5-5
ii  python-docutils             0.11-2
pn  texlive                     <none>
pn  tidy                        <none>
pn  viewvc | gitweb | viewcvs   <none>
pn  xapian-omega                <none>

-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to