[DRE-commits] [redmine] 01/01: Fix potential XSS vulnerability with flash messages.
Antonio Terceiro
terceiro at moszumanska.debian.org
Sun Feb 22 14:46:25 UTC 2015
This is an automated email from the git hooks/post-receive script.
terceiro pushed a commit to branch master
in repository redmine.
commit 9cbef7546f7cf941c3415d474558c50cf89e58ab
Author: Antonio Terceiro <terceiro at debian.org>
Date: Sun Feb 22 11:33:57 2015 -0300
Fix potential XSS vulnerability with flash messages.
---
debian/changelog | 8 ++++
.../patches/0001-Escape-flash-messages-19117.patch | 45 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 54 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 6bad6fb..0277747 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+redmine (3.0~20140825-5) unstable; urgency=high
+
+ * debian/patches/0001-Escape-flash-messages-19117.patch
+ - Fix potential XSS vulnerability with flash messages.
+ - No CVE id assigned yet
+
+ -- Antonio Terceiro <terceiro at debian.org> Sun, 22 Feb 2015 11:32:27 -0300
+
redmine (3.0~20140825-4) unstable; urgency=medium
* debian/doc/examples/apache2-passenger-alias.conf: updated example
diff --git a/debian/patches/0001-Escape-flash-messages-19117.patch b/debian/patches/0001-Escape-flash-messages-19117.patch
new file mode 100644
index 0000000..442079b
--- /dev/null
+++ b/debian/patches/0001-Escape-flash-messages-19117.patch
@@ -0,0 +1,45 @@
+From 2a7795ab525a47aee4484708acde409e6c4e6737 Mon Sep 17 00:00:00 2001
+From: Jean-Philippe Lang <jp_lang at yahoo.fr>
+Date: Tue, 17 Feb 2015 17:47:36 +0000
+Subject: [PATCH] Escape flash messages (#19117).
+
+git-svn-id: http://svn.redmine.org/redmine/trunk@14016 e93f8b46-1217-0410-a6f0-8f06a7374b81
+---
+ app/controllers/account_controller.rb | 2 +-
+ app/controllers/admin_controller.rb | 6 +++---
+ 2 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/app/controllers/account_controller.rb
++++ b/app/controllers/account_controller.rb
+@@ -290,7 +290,7 @@ class AccountController < ApplicationCon
+ token = Token.new(:user => user, :action => "register")
+ if user.save and token.save
+ Mailer.register(token).deliver
+- flash[:notice] = l(:notice_account_register_done, :email => user.mail)
++ flash[:notice] = l(:notice_account_register_done, :email => ERB::Util.h(user.mail))
+ redirect_to signin_path
+ else
+ yield if block_given?
+--- a/app/controllers/admin_controller.rb
++++ b/app/controllers/admin_controller.rb
+@@ -51,7 +51,7 @@ class AdminController < ApplicationContr
+ Redmine::DefaultData::Loader::load(params[:lang])
+ flash[:notice] = l(:notice_default_data_loaded)
+ rescue Exception => e
+- flash[:error] = l(:error_can_t_load_default_data, e.message)
++ flash[:error] = l(:error_can_t_load_default_data, ERB::Util.h(e.message))
+ end
+ end
+ redirect_to admin_path
+@@ -63,9 +63,9 @@ class AdminController < ApplicationContr
+ ActionMailer::Base.raise_delivery_errors = true
+ begin
+ @test = Mailer.test_email(User.current).deliver
+- flash[:notice] = l(:notice_email_sent, User.current.mail)
++ flash[:notice] = l(:notice_email_sent, ERB::Util.h(User.current.mail))
+ rescue Exception => e
+- flash[:error] = l(:notice_email_error, Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup))
++ flash[:error] = l(:notice_email_error, ERB::Util.h(Redmine::CodesetUtil.replace_invalid_utf8(e.message.dup)))
+ end
+ ActionMailer::Base.raise_delivery_errors = raise_delivery_errors
+ redirect_to settings_path(:tab => 'notifications')
diff --git a/debian/patches/series b/debian/patches/series
index fa281e4..16069f9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,4 @@ gemfile-adjustments.patch
drop-update_all.patch
invalidate-language-cache-from-older-versions.diff
avoid-crash-on-issues.diff
+0001-Escape-flash-messages-19117.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/redmine.git
More information about the Pkg-ruby-extras-commits
mailing list