[Pkg-mozext-commits] [SCM] lightweight RSS and Atom feed reader for Iceweasel/Firefox branch, master, updated. upstream/1.4.5-27-g92ce2d5
Andrea Veri
av at src.gnome.org
Tue Aug 16 21:27:09 UTC 2011
The following commit has been merged in the master branch:
commit 0a51752aebacb3c104ea1ddb7a3481806192df97
Author: Andrea Veri <av at src.gnome.org>
Date: Tue Aug 16 23:10:17 2011 +0200
new_xss_fix.patch removed. Fix has been imported upstream. See http://code.google.com/p/sage/issues/detail?id=2 as a reference.
diff --git a/debian/patches/new_xss_fix.patch b/debian/patches/new_xss_fix.patch
deleted file mode 100644
index d89cccd..0000000
--- a/debian/patches/new_xss_fix.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-Description: Fix RSS Feeds Cross Domain Scripting Vulnerability
- CVE-2009-4102 Cross Domain Scripting vulnerability. Don't trust HTML in titles,
- descriptions. Don't allow 'strange' (i.e. javascript:, data:) URLs in Links.
- CVE-2006-4712 (Regression), some of the old test cases no longer passed due to
- problem with htmlToText.
-Bug-Debian: http://bugs.debian.org/559267
-Author: Alan Woodland <awoodland at debian.org>
-Last-Update: 2010-02-13
-
---- sage-extension-1.4.5.orig/chrome/sage.jar!/content/createhtml.js
-+++ sage-extension-1.4.5/chrome/sage.jar!/content/createhtml.js
-@@ -133,15 +133,19 @@ var CreateHTML = {
-
- switch (s) {
- case "**TITLE**":
-- return this.entityEncode(feed.getTitle());
-+ // Entity encode is correct here - we shouldn't let any HTML through
-+ return this.entityEncode(SageUtils.htmlToText(feed.getTitle()));
-
- case "**LINK**":
-- return this.entityEncode(feed.getLink());
-+ // Partial fix for CVE-2009-4102
-+ // Clean href is correct here - there is HTML in what gets returned by getLink, but it's all Sage generated and anything which can break out of it should be escaped
-+ return this.entityEncode(this.cleanHref(feed.getLink()));
- break;
-
- case "**AUTHOR**":
- if (feed.hasAuthor()) {
-- return "<div class=\"feed-author\">" + this.entityEncode(feed.getAuthor()) + "</div>";
-+ // Entity encode is correct - we don't want any HTML back from this
-+ return "<div class=\"feed-author\">" + this.entityEncode(SageUtils.htmlToText(feed.getAuthor())) + "</div>";
- }
- return "";
-
-@@ -162,9 +166,11 @@ var CreateHTML = {
-
- /*
- case "**LOGOLINK**":
-+ // need to be sure we can't escape the href="..." part this gets enclosed in
- return feed.getLogo().link;
-
- case "**LOGOALT**":
-+ // need to be sure we can't escape the alt="..."
- return feed.getLogo().alt;
-
- case "**COPYRIGHT**":
-@@ -194,6 +200,7 @@ var CreateHTML = {
- return "";
- */
- case "**ITEMS**":
-+ // Correct - getItemsHtml is already escaped/quoted internally
- return this.getItemsHtml(feed);
- }
-
-@@ -208,6 +215,7 @@ var CreateHTML = {
- }
- var sb = [];
- for (var i = 0; i < feed.getItemCount(); i++) {
-+ // Correct - already quoted/escaped
- sb.push(this.getItemHtml(feed, feed.getItem(i), i));
- }
- return sb.join("");
-@@ -225,20 +233,26 @@ var CreateHTML = {
- return i + 1;
-
- case "**LINK**":
-- return this.entityEncode(item.getLink());
-+ // Partial fix for CVE-2009-4102
-+ // Correct - be careful of breaking out of the href="..." though
-+ return this.entityEncode(this.cleanHref(item.getLink()));
-
- case "**TITLE**":
- if (item.hasTitle()) {
-- return this.entityEncode(item.getTitle());
-+ // correct - this doesn't let any HTML through
-+ return this.entityEncode(SageUtils.htmlToText(item.getTitle()));
- } else if (item.getTitle()) {
-- return this.entityEncode(item.getTitle());
-+ // correct - no HTML through
-+ return this.entityEncode(SageUtils.htmlToText(item.getTitle()));
- } else {
-+ // No HTML here eitther, but it's not input anyway
- return this.entityEncode(strRes.GetStringFromName("feed_item_no_title"));
- }
-
- case "**AUTHOR**":
- if (item.hasAuthor()) {
-- return "<div class=\"item-author\">" + this.entityEncode(item.getAuthor()) + "</div>";
-+ // Correct - no HTML permitted here
-+ return "<div class=\"item-author\">" + this.entityEncode(SageUtils.htmlToText(item.getAuthor())) + "</div>";
- }
- return "";
-
-@@ -269,6 +283,7 @@ var CreateHTML = {
-
- case "**ENCLOSURE**":
- if (item.hasEnclosure()) {
-+ // ??
- var enc = item.getEnclosure();
- function createDescriptionFromURL(url) {
- var array = url.split("/");
-@@ -300,6 +315,31 @@ var CreateHTML = {
- return dirService.get(aProp, Components.interfaces.nsILocalFile);
- },
-
-+ // Partial fix for CVE-2009-4102
-+ cleanHref: function(aUrl) {
-+ // We only want to allow http, ftp, news and mailto before :
-+ var ltype = aUrl.split(":")[0];
-+ // Make it greedy so there cannot be any surplus :'s left after filtering
-+ // This was an error in my original patch
-+ aUrl = aUrl.replace(/^.*:/, "");
-+ switch(ltype.toLowerCase()) {
-+ case "http":
-+ aUrl = ltype + ":" + aUrl;
-+ break;
-+ case "nntp":
-+ aUrl = ltype + ":" + aUrl;
-+ break;
-+ case "mailto":
-+ aUrl = ltype + ":" + aUrl;
-+ break;
-+ case "ftp":
-+ aUrl = ltype + ":" + aUrl;
-+ break;
-+ }
-+ // Did I miss some safe ones?
-+ return aUrl
-+ },
-+
- entityEncode: function(aStr) {
-
- function replacechar(match) {
--
lightweight RSS and Atom feed reader for Iceweasel/Firefox
More information about the Pkg-mozext-commits
mailing list