[Pkg-mozext-commits] [SCM] lightweight RSS and Atom feed reader for Iceweasel/Firefox branch, master, updated. upstream/1.4.5-27-g92ce2d5

Tue Aug 16 21:27:09 UTC 2011

The following commit has been merged in the master branch:
commit 0a51752aebacb3c104ea1ddb7a3481806192df97
Author: Andrea Veri <av at src.gnome.org>
Date:   Tue Aug 16 23:10:17 2011 +0200

    new_xss_fix.patch removed. Fix has been imported upstream. See http://code.google.com/p/sage/issues/detail?id=2 as a reference.

diff --git a/debian/patches/new_xss_fix.patch b/debian/patches/new_xss_fix.patch
deleted file mode 100644
index d89cccd..0000000
--- a/debian/patches/new_xss_fix.patch
+++ /dev/null
@@ -1,133 +0,0 @@
-Description: Fix RSS Feeds Cross Domain Scripting Vulnerability
- CVE-2009-4102 Cross Domain Scripting vulnerability. Don't trust HTML in titles,
- descriptions. Don't allow 'strange' (i.e. javascript:, data:) URLs in Links.
- CVE-2006-4712 (Regression), some of the old test cases no longer passed due to
- problem with htmlToText.
-Bug-Debian: http://bugs.debian.org/559267
-Author: Alan Woodland <awoodland at debian.org>
-Last-Update: 2010-02-13
-
---- sage-extension-1.4.5.orig/chrome/sage.jar!/content/createhtml.js
-+++ sage-extension-1.4.5/chrome/sage.jar!/content/createhtml.js
-@@ -133,15 +133,19 @@ var CreateHTML = {
- 
- 		switch (s) {
- 			case "**TITLE**":
--				return this.entityEncode(feed.getTitle());
-+				// Entity encode is correct here - we shouldn't let any HTML through
-+				return this.entityEncode(SageUtils.htmlToText(feed.getTitle()));
- 
- 			case "**LINK**":
--				return this.entityEncode(feed.getLink());
-+				// Partial fix for CVE-2009-4102
-+				// Clean href is correct here - there is HTML in what gets returned by getLink, but it's all Sage generated and anything which can break out of it should be escaped
-+				return this.entityEncode(this.cleanHref(feed.getLink()));
- 				break;
- 
- 			case "**AUTHOR**":
- 				if (feed.hasAuthor()) {
--					return "<div class=\"feed-author\">" + this.entityEncode(feed.getAuthor()) + "</div>";
-+					// Entity encode is correct - we don't want any HTML back from this
-+					return "<div class=\"feed-author\">" + this.entityEncode(SageUtils.htmlToText(feed.getAuthor())) + "</div>";
- 				}
- 				return "";
- 
-@@ -162,9 +166,11 @@ var CreateHTML = {
- 
- /*
- 			case "**LOGOLINK**":
-+				// need to be sure we can't escape the href="..." part this gets enclosed in
- 				return feed.getLogo().link;
- 
- 			case "**LOGOALT**":
-+				// need to be sure we can't escape the alt="..."
- 				return feed.getLogo().alt;
- 
- 			case "**COPYRIGHT**":
-@@ -194,6 +200,7 @@ var CreateHTML = {
- 				return "";
- */
- 			case "**ITEMS**":
-+				// Correct - getItemsHtml is already escaped/quoted internally
- 				return this.getItemsHtml(feed);
- 		}
- 
-@@ -208,6 +215,7 @@ var CreateHTML = {
- 		}
- 		var sb = [];
- 		for (var i = 0; i < feed.getItemCount(); i++) {
-+			// Correct - already quoted/escaped
- 			sb.push(this.getItemHtml(feed, feed.getItem(i), i));
- 		}
- 		return sb.join("");
-@@ -225,20 +233,26 @@ var CreateHTML = {
- 				return i + 1;
- 
- 			case "**LINK**":
--				return this.entityEncode(item.getLink());
-+				// Partial fix for CVE-2009-4102
-+				// Correct - be careful of breaking out of the href="..." though
-+				return this.entityEncode(this.cleanHref(item.getLink()));
- 
- 			case "**TITLE**":
- 				if (item.hasTitle()) {
--					return this.entityEncode(item.getTitle());
-+					// correct - this doesn't let any HTML through
-+					return this.entityEncode(SageUtils.htmlToText(item.getTitle()));
- 				} else if (item.getTitle()) {
--					return this.entityEncode(item.getTitle());
-+					// correct - no HTML through
-+					return this.entityEncode(SageUtils.htmlToText(item.getTitle()));
- 				} else {
-+					// No HTML here eitther, but it's not input anyway
- 					return this.entityEncode(strRes.GetStringFromName("feed_item_no_title"));
- 				}
- 
- 			case "**AUTHOR**":
- 				if (item.hasAuthor()) {
--					return "<div class=\"item-author\">" + this.entityEncode(item.getAuthor()) + "</div>";
-+					// Correct - no HTML permitted here
-+					return "<div class=\"item-author\">" + this.entityEncode(SageUtils.htmlToText(item.getAuthor())) + "</div>";
- 				}
- 				return "";
- 
-@@ -269,6 +283,7 @@ var CreateHTML = {
- 
- 			case "**ENCLOSURE**":
- 				if (item.hasEnclosure()) {
-+					// ??
- 					var enc = item.getEnclosure();
- 					function createDescriptionFromURL(url) {
- 						var array = url.split("/");
-@@ -300,6 +315,31 @@ var CreateHTML = {
- 		return dirService.get(aProp, Components.interfaces.nsILocalFile);
- 	},
- 
-+	// Partial fix for CVE-2009-4102
-+	cleanHref: function(aUrl) {
-+		// We only want to allow http, ftp, news and mailto before :
-+		var ltype = aUrl.split(":")[0];
-+		// Make it greedy so there cannot be any surplus :'s left after filtering
-+		// This was an error in my original patch
-+		aUrl = aUrl.replace(/^.*:/, "");
-+		switch(ltype.toLowerCase()) {
-+			case "http":
-+				aUrl = ltype + ":" + aUrl;
-+				break;
-+			case "nntp":
-+				aUrl = ltype + ":" + aUrl;
-+				break;
-+			case "mailto":
-+				aUrl = ltype + ":" + aUrl;
-+				break;
-+			case "ftp":
-+				aUrl = ltype + ":" + aUrl;
-+				break;
-+		}
-+		// Did I miss some safe ones?
-+		return aUrl
-+	},
-+
- 	entityEncode: function(aStr) {
- 
- 		function replacechar(match) {

-- 
lightweight RSS and Atom feed reader for Iceweasel/Firefox

