Time specifiers supplied in the Navigator Graph page web form are used
to construct filenames in the cache directory.
Also on that page, or in error output, the URL of that graph is not
properly escaped. Injection of some characters into HTML is possible,
similar to CVE-2012-0790 but perhaps not enough to cause XSS.
As a precaution, use the existing regex $xssBadRx to filter out
unnecessary characters which fixes both issues. Doing this in
parse_datetime conveniently covers all uses.
diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
index cec130a..babd658 100644
--- a/lib/Smokeping.pm
+++ b/lib/Smokeping.pm
@@ -1029,12 +1029,13 @@ sub smokecol ($) {
sub parse_datetime($){
my $in = shift;
for ($in){
+ $in =~ s/$xssBadRx/_/g;
/^(\d+)$/ && do { my $value = $1; $value = time if $value > 2**32;
return $value};
/^\s*(\d{4})-(\d{1,2})-(\d{1,2})(?:\s+(\d{1,2}):(\d{2})(?::(\d{2}))?)?\s*$/ &&
return POSIX::mktime($6||0,$5||0,$4||0,$3,$2-1,$1-1900,0,0,-1);
/^now$/ && return time;
/([ -:a-z0-9]+)/ && return $1;
};
return time;
}
--
1.7.10.4
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
