Subject: planet-venus: [CVE-2009-2937] - Insufficient escaping of input feeds Package: planet-venus Justification: user security hole Severity: grave Tags: security
*** Please type your report below this line *** The planet feed aggregator attempts to remove malicious content from user-submitted feeds. It does a great job, but fails to sanitize this input: <img src="javascript:alert(1);" > At least Opera will execute this code. The package in Lenny is vulnerable and should require a security update. Fixed packages are available from: http://www.steve.org.uk/tmp/planet/lenny/ This is the patch I used, written by upstream: s...@senfl:~$ diff --unified scrub.orig scrub.py --- scrub.orig 2009-09-09 16:24:50.000000000 +0000 +++ scrub.py 2009-09-09 16:25:18.000000000 +0000 @@ -128,5 +128,13 @@ node['value'] = feedparser._resolveRelativeURIs( node.value, node.base, 'utf-8', node.type) - node['value'] = feedparser._sanitizeHTML( - node.value, 'utf-8', node.type) + # Run this through HTML5's serializer + from html5lib import html5parser, sanitizer, treebuilders + from html5lib import treewalkers, serializer + p = html5parser.HTMLParser(tokenizer=sanitizer.HTMLSanitizer, + tree=treebuilders.getTreeBuilder('dom')) + doc = p.parseFragment(node.value, encoding='utf-8') + xhtml = serializer.XHTMLSerializer(inject_meta_charset = False) + walker = treewalkers.getTreeWalker('dom') + tree = xhtml.serialize(walker(doc), encoding='utf-8') + node['value'] = ''.join([str(token) for token in tree]) -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
