Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
[ Reason ] dojo/dijit is vulnerable to cross-site-scripting (#970000, CVE-2020-4051). [ Impact ] Medium vulnerability [ Tests ] Test passed during build, including upstream new checks [ Risks ] Upstream patch applied without any changes, not trivial but not a big change. From patch comment: This update should minimally affect production applications: * The behavior of existing links with HTML content will be unchanged * Existing links that are edited and saved will be filtered (this is only if the link is edited, other content within the editor can be edited without affecting the link) * Newly created links will be filtered by default * For production code to continue working as-is with new data the application code will have to be updated to specify `true` for the `LinkDialog` plugin's `allowUnsafeHtml` option [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] in plugin dijit/_editor/plugins/LinkDialog.js, a new chack was added I didn't add any debian/NEWS entry since risk is tagged as "low". Do you think it is required here? Maybe something inspired from comment below. Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index d4aae875..407f7c48 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +dojo (1.14.2+dfsg1-1+deb10u3) buster; urgency=medium + + * Team upload + * Fix cross-site-scripting vulnerability (Closes: #970000, CVE-2020-4051) + + -- Yadd <y...@debian.org> Fri, 16 Apr 2021 09:39:01 +0200 + dojo (1.14.2+dfsg1-1+deb10u2) buster; urgency=medium * Team upload diff --git a/debian/patches/CVE-2020-4051.patch b/debian/patches/CVE-2020-4051.patch new file mode 100644 index 00000000..714b93d2 --- /dev/null +++ b/debian/patches/CVE-2020-4051.patch @@ -0,0 +1,135 @@ +Description: fix cross-site scripting vulnerability in the Editor's LinkDialog plugin + * Add config option `allowUnsafeHtml`: default is `false` which results in + `<` being replaced with `<` + * Add config option `linkFilter`: can be a function or array of filter pairs + to control exactly what filtering is applied + . + This update should minimally affect production applications: + . + * The behavior of existing links with HTML content will be unchanged + * Existing links that are edited and saved will be filtered (this is only if + the link is edited, other content within the editor can be edited without + affecting the link) + * Newly created links will be filtered by default + * For production code to continue working as-is with new data the application + code will have to be updated to specify `true` for the `LinkDialog` plugin's + `allowUnsafeHtml` option +Author: Mangala Sadhu Sangeet Singh Khalsa <mssskha...@gmail.com> +Origin: upstream, https://github.com/dojo/dijit/commit/7d9d4927 +Bug: https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6 +Bug-Debian: https://bugs.debian.org/970000 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-04-16 + +--- a/dijit/_editor/plugins/LinkDialog.js ++++ b/dijit/_editor/plugins/LinkDialog.js +@@ -1,5 +1,6 @@ + define([ + "require", ++ "dojo/_base/array", + "dojo/_base/declare", // declare + "dojo/dom-attr", // domAttr.get + "dojo/keys", // keys.ENTER +@@ -11,7 +12,7 @@ + "../_Plugin", + "../../form/DropDownButton", + "../range" +-], function(require, declare, domAttr, keys, lang, on, has, query, string, ++], function(require, array, declare, domAttr, keys, lang, on, has, query, string, + _Plugin, DropDownButton, rangeapi){ + + // module: +@@ -26,6 +27,21 @@ + // + // - createLink + ++ // allowUnsafeHtml: boolean ++ // If false (default), the link description will be filtered to prevent HTML content. ++ // If true no filtering is done, allowing for HTML content within the link element. ++ // The filter can be specified with the 'linkFilter' option. ++ allowUnsafeHtml: false, ++ ++ // linkFilter: function or array of replacement pairs ++ // If 'allowUnsafeHtml' is false then this filter will be applied to the link Description value. ++ // function: the function will be invoked with the string value of the Description field and its ++ // return value will be used ++ // array: each array item should be an array of two values to pass to String#replace ++ linkFilter: [ ++ [/</g, "<"] ++ ], ++ + // Override _Plugin.buttonClass. This plugin is controlled by a DropDownButton + // (which triggers a TooltipDialog). + buttonClass: DropDownButton, +@@ -252,6 +268,16 @@ + if(args && args.urlInput){ + args.urlInput = args.urlInput.replace(/"/g, """); + } ++ if(!this.allowUnsafeHtml && args && args.textInput){ ++ if(typeof this.linkFilter === 'function'){ ++ args.textInput = this.linkFilter(args.textInput); ++ } ++ else{ ++ array.forEach(this.linkFilter, function (currentFilter) { ++ args.textInput = args.textInput.replace(currentFilter[0], currentFilter[1]); ++ }); ++ } ++ } + return args; + }, + +@@ -629,8 +655,15 @@ + }); + + // Register these plugins +- _Plugin.registry["createLink"] = function(){ +- return new LinkDialog({command: "createLink"}); ++ _Plugin.registry["createLink"] = function(args){ ++ var pluginOptions = { ++ command: "createLink", ++ allowUnsafeHtml: ("allowUnsafeHtml" in args) ? args.allowUnsafeHtml : false ++ }; ++ if("linkFilter" in args){ ++ pluginOptions.linkFilter = args.linkFilter; ++ } ++ return new LinkDialog(pluginOptions); + }; + _Plugin.registry["insertImage"] = function(){ + return new ImgLinkDialog({command: "insertImage"}); +--- a/dijit/tests/editor/test_LinkDialog.html ++++ b/dijit/tests/editor/test_LinkDialog.html +@@ -7,6 +7,10 @@ + <script type="text/javascript" src="../boilerplate.js"></script> + + <script type="text/javascript"> ++ function filterLink () { ++ return 'Filtered Value'; ++ } ++ + require([ + "dojo/parser", + "dijit/Editor", +@@ -35,6 +39,22 @@ + <br> + </div> + </div> ++ ++ <p>Editor with <code>allowUnsafeHtml</code> set to <code>true</code></p> ++ <div style="border: 1px dotted black;"> ++ <div id="editorUnsafe" data-dojo-type="dijit/Editor" data-dojo-props='"aria-label":"editor",extraPlugins:[{name: "createLink", allowUnsafeHtml: true}, "insertImage", "viewSource"]'> ++ <p>This editor will allow unrestricted HTML in the Description field of links</p> ++ <br> ++ </div> ++ </div> ++ ++ <p>Editor with custom <code>linkFilter</code> function</p> ++ <div style="border: 1px dotted black;"> ++ <div id="editorLinkFilter" data-dojo-type="dijit/Editor" data-dojo-props='"aria-label":"editor",extraPlugins:[{name: "createLink", linkFilter: filterLink}, "insertImage", "viewSource"]'> ++ <p>Links created in this editor will always have a description of "Filtered Value", which is the value returned by the custom <code>linkFilter</code> function.</p> ++ <br> ++ </div> ++ </div> + + <p>RTL Editor:</p> + <div style="border: 1px dotted black;"> diff --git a/debian/patches/series b/debian/patches/series index d5b7db42..04f730d1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,3 +4,4 @@ CVE-2019-10785.patch CVE-2020-5258.diff CVE-2020-5259.diff +CVE-2020-4051.patch
