Your message dated Sun, 17 Mar 2013 10:37:21 +0000
with message-id <e1uhbbb-0006w8...@squeeze.pyro.eu.org>
has caused the report #659899,
regarding CVE-2012-0790: XSS
to be marked as having been forwarded to the upstream software
author(s) t...@oetiker.ch
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
659899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=659899
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Time specifiers supplied in the Navigator Graph page web form are used
to construct filenames in the cache directory.
Also on that page, or in error output, the URL of that graph is not
properly escaped. Injection of some characters into HTML is possible,
similar to CVE-2012-0790 but perhaps not enough to cause XSS.
As a precaution, use the existing regex $xssBadRx to filter out
unnecessary characters which fixes both issues. Doing this in
parse_datetime conveniently covers all uses.
diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
index cec130a..babd658 100644
--- a/lib/Smokeping.pm
+++ b/lib/Smokeping.pm
@@ -1029,12 +1029,13 @@ sub smokecol ($) {
sub parse_datetime($){
my $in = shift;
for ($in){
+ $in =~ s/$xssBadRx/_/g;
/^(\d+)$/ && do { my $value = $1; $value = time if $value > 2**32;
return $value};
/^\s*(\d{4})-(\d{1,2})-(\d{1,2})(?:\s+(\d{1,2}):(\d{2})(?::(\d{2}))?)?\s*$/ &&
return POSIX::mktime($6||0,$5||0,$4||0,$3,$2-1,$1-1900,0,0,-1);
/^now$/ && return time;
/([ -:a-z0-9]+)/ && return $1;
};
return time;
}
--
1.7.10.4
--- End Message ---
