[mapproxy] 01/04: New upstream version 1.10.4
Bas Couwenberg
sebastic at debian.org
Thu Aug 17 16:41:12 UTC 2017
This is an automated email from the git hooks/post-receive script.
sebastic pushed a commit to branch master
in repository mapproxy.
commit 3ab01e61031c169f162c4c6d37c99278763a16a4
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date: Thu Aug 17 18:21:03 2017 +0200
New upstream version 1.10.4
---
CHANGES.txt | 11 +++++++++++
doc/conf.py | 2 +-
mapproxy/service/demo.py | 18 +++++++++++-------
setup.py | 2 +-
4 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/CHANGES.txt b/CHANGES.txt
index df94dbe..092c72e 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -1,3 +1,14 @@
+1.10.4 2017-08-17
+~~~~~~~~~~~~~~~~~
+
+Fixes:
+
+- Fix Cross Site Scripting (XSS) issue in demo service (#322).
+ A targeted attack could be used for information disclosure. For
+ example: Session cookies of a third party application running on
+ the same domain.
+
+
1.10.3 2017-07-07
~~~~~~~~~~~~~~~~~
diff --git a/doc/conf.py b/doc/conf.py
index 6dd6f5d..96968a8 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -51,7 +51,7 @@ copyright = u'Oliver Tonnhofer, Omniscale'
# The short X.Y version.
version = '1.10'
# The full version, including alpha/beta/rc tags.
-release = '1.10.3'
+release = '1.10.4'
# The language for content autogenerated by Sphinx. Refer to documentation
# for a list of supported languages.
diff --git a/mapproxy/service/demo.py b/mapproxy/service/demo.py
index d83c5dc..2c266bf 100644
--- a/mapproxy/service/demo.py
+++ b/mapproxy/service/demo.py
@@ -22,6 +22,7 @@ import os
import pkg_resources
import mimetypes
from collections import defaultdict
+from xml.sax.saxutils import escape
from mapproxy.config.config import base_config
from mapproxy.compat import PY2
@@ -108,7 +109,10 @@ class DemoServer(Server):
demo = self._render_capabilities_template('demo/capabilities_demo.html', capabilities, 'WMTS', url)
elif 'tms_capabilities' in req.args:
if 'layer' in req.args and 'srs' in req.args:
- url = '%s/tms/1.0.0/%s/%s'%(req.script_url, req.args['layer'], req.args['srs'])
+ # prevent dir traversal (seems it's not possible with urllib2, but better safe then sorry)
+ layer = req.args['layer'].replace('..', '')
+ srs = req.args['srs'].replace('..', '')
+ url = '%s/tms/1.0.0/%s/%s'%(req.script_url, layer, srs)
else:
url = '%s/tms/1.0.0/'%(req.script_url)
capabilities = urllib2.urlopen(url)
@@ -171,14 +175,14 @@ class DemoServer(Server):
def _render_wms_template(self, template, req):
template = get_template(template, default_inherit="demo/static.html")
layer = self.layers[req.args['wms_layer']]
- srs = req.args['srs']
+ srs = escape(req.args['srs'])
bbox = layer.extent.bbox_for(SRS(srs))
width = bbox[2] - bbox[0]
height = bbox[3] - bbox[1]
min_res = max(width/256, height/256)
return template.substitute(layer=layer,
image_formats=self.image_formats,
- format=req.args['format'],
+ format=escape(req.args['format']),
srs=srs,
layer_srs=self.layer_srs,
bbox=bbox,
@@ -202,8 +206,8 @@ class DemoServer(Server):
else:
add_res_to_options = False
return template.substitute(layer=tile_layer,
- srs=req.args['srs'],
- format=req.args['format'],
+ srs=escape(req.args['srs']),
+ format=escape(req.args['format']),
resolutions=res,
units=units,
add_res_to_options=add_res_to_options,
@@ -223,8 +227,8 @@ class DemoServer(Server):
units = 'm'
return template.substitute(layer=wmts_layer,
matrix_set=wmts_layer.grid.name,
- format=req.args['format'],
- srs=req.args['srs'],
+ format=escape(req.args['format']),
+ srs=escape(req.args['srs']),
resolutions=wmts_layer.grid.resolutions,
units=units,
all_tile_layers=self.tile_layers,
diff --git a/setup.py b/setup.py
index 5515279..90c527c 100644
--- a/setup.py
+++ b/setup.py
@@ -54,7 +54,7 @@ def long_description(changelog_releases=10):
setup(
name='MapProxy',
- version="1.10.3",
+ version="1.10.4",
description='An accelerating proxy for web map services',
long_description=long_description(7),
author='Oliver Tonnhofer',
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/mapproxy.git
More information about the Pkg-grass-devel
mailing list