deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix Two XSS Vulnerabilities

Browse source 
Unescaped  page names (in 'edit' an 'new' views).
Unsanitized HTTP_CLIENT_IP header.
This commit is contained in:
Jacques Distler 2008-03-14 23:22:46 +00:00
parent ab63a21ccd
commit 503f956084
4 changed files with 5 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

3
app/controllers/wiki_controller.rb
View file

@ -2,6 +2,7 @@ require 'fileutils'
require 'redcloth_for_tex'
require 'parsedate'
require 'zip/zip'
require 'resolv'
class WikiController < ApplicationController
@ -381,7 +382,7 @@ class WikiController < ApplicationController
def remote_ip
ip = request.remote_ip
logger.info(ip)
ip
ip.gsub!(Regexp.union(Resolv::IPv4::Regex, Resolv::IPv6::Regex), '\0') || 'bogus address'
end
def render_rss(hide_description = false, limit = 15, start_date = nil, end_date = nil)