From 503f956084299a28cfaeeeede90683985ff72f53 Mon Sep 17 00:00:00 2001 From: Jacques Distler Date: Fri, 14 Mar 2008 23:22:46 +0000 Subject: [PATCH] Fix Two XSS Vulnerabilities Unescaped page names (in 'edit' an 'new' views). Unsanitized HTTP_CLIENT_IP header. --- app/controllers/wiki_controller.rb | 3 ++- app/models/page.rb | 2 +- app/views/wiki/edit.rhtml | 2 +- app/views/wiki/new.rhtml | 2 +- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/app/controllers/wiki_controller.rb b/app/controllers/wiki_controller.rb index fe734e8f..172ba264 100644 --- a/app/controllers/wiki_controller.rb +++ b/app/controllers/wiki_controller.rb @@ -2,6 +2,7 @@ require 'fileutils' require 'redcloth_for_tex' require 'parsedate' require 'zip/zip' +require 'resolv' class WikiController < ApplicationController @@ -381,7 +382,7 @@ class WikiController < ApplicationController def remote_ip ip = request.remote_ip logger.info(ip) - ip + ip.gsub!(Regexp.union(Resolv::IPv4::Regex, Resolv::IPv6::Regex), '\0') || 'bogus address' end def render_rss(hide_description = false, limit = 15, start_date = nil, end_date = nil) diff --git a/app/models/page.rb b/app/models/page.rb index 9861c6e9..26d4223e 100644 --- a/app/models/page.rb +++ b/app/models/page.rb @@ -77,7 +77,7 @@ class Page < ActiveRecord::Base # Returns the original wiki-word name as separate words, so "MyPage" becomes "My Page". def plain_name - web.brackets_only? ? name : WikiWords.separate(name) + web.brackets_only? ? CGI.escapeHTML(name) : CGI.escapeHTML(WikiWords.separate(name)) end LOCKING_PERIOD = 30.minutes diff --git a/app/views/wiki/edit.rhtml b/app/views/wiki/edit.rhtml index 669933e0..bbaf7f4b 100644 --- a/app/views/wiki/edit.rhtml +++ b/app/views/wiki/edit.rhtml @@ -1,5 +1,5 @@ <% - @title = "Editing #{@page.name}" + @title = "Editing #{CGI.escapeHTML(@page.name)}" @content_width = 720 @hide_navigation = true %> diff --git a/app/views/wiki/new.rhtml b/app/views/wiki/new.rhtml index 4d7f93e9..d96d4c4a 100644 --- a/app/views/wiki/new.rhtml +++ b/app/views/wiki/new.rhtml @@ -1,5 +1,5 @@ <% - @title = "Creating #{WikiWords.separate(@page_name)}" + @title = "Creating #{CGI.escapeHTML(WikiWords.separate(@page_name))}" @content_width = 720 @hide_navigation = true %>