diff -uNr sage.orig/content/createhtml.js sage/content/createhtml.js --- sage.orig/content/createhtml.js 2009-12-10 14:01:59.000000000 +0000 +++ sage/content/createhtml.js 2009-12-10 14:41:04.000000000 +0000 @@ -136,7 +136,8 @@ return this.entityEncode(feed.getTitle()); case "**LINK**": - return feed.getLink(); + // Partial fix for CVE-2009-4102 + return this.cleanHref(feed.getLink()); break; case "**AUTHOR**": @@ -147,7 +148,8 @@ case "**DESCRIPTION**": if (feed.hasDescription()) { - return feed.getDescription(); + // Entity encode call is Partial fix for CVE-2009-4102 + return this.entityEncode(SageUtils.htmlToText(feed.getDescription())); } return ""; @@ -216,7 +218,8 @@ return i +1; case "**LINK**": - return item.getLink(); + // Partial fix for CVE-2009-4102 + return this.cleanHref(item.getLink()); case "**TITLE**": if (item.hasTitle()) { @@ -242,7 +245,8 @@ this.simpleHtmlParser.parse(item.getContent()); ds = this.filterHtmlHandler.toString(); } else { - ds = SageUtils.htmlToText(item.getContent()); + // Entity encode call is fix for regression from CVE-2006-4712 + ds = this.entityEncode(SageUtils.htmlToText(item.getContent())); } return "<div class=\"item-desc\">" + ds + "</div>"; } @@ -291,6 +295,31 @@ return dirService.get(aProp, Components.interfaces.nsILocalFile); }, + // Partial fix for CVE-2009-4102 + cleanHref: function(aUrl) + { + // We only want to allow http, ftp, news and mailto before : + var ltype = aUrl.split(":")[0]; + aUrl = aUrl.replace(/^[^:]*:/, ""); + switch(ltype.toLowerCase()) + { + case "http": + aUrl = ltype + ":" + aUrl; + break; + case "nntp": + aUrl = ltype + ":" + aUrl; + break; + case "mailto": + aUrl = ltype + ":" + aUrl; + break; + case "ftp": + aUrl = ltype + ":" + aUrl; + break; + } + // Did I miss some safe ones? + return aUrl + }, + entityEncode: function(aStr) { function replacechar(match) {
signature.asc
Description: OpenPGP digital signature