[mapproxy] 02/03: Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service. Fixes CVE-2017-1000426.

Bas Couwenberg sebastic at debian.org
Sun Jan 7 08:54:58 UTC 2018 

This is an automated email from the git hooks/post-receive script.

sebastic pushed a commit to branch stretch
in repository mapproxy.

commit 0dcbb58680acb37a3fdf425c26f42480480870da
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date:   Sun Jan 7 09:33:10 2018 +0100

    Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service. Fixes CVE-2017-1000426.
---
 debian/changelog                                   |  2 +
 .../0001-demo-escape-args-to-avoid-XSS.patch       | 66 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 69 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index b77c528..83742a6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
 mapproxy (1.9.0-3+deb9u1) UNRELEASED; urgency=medium
 
   * Update branch in gbp.conf & Vcs-Git URL.
+  * Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service.
+    Fixes CVE-2017-1000426.
 
  -- Bas Couwenberg <sebastic at debian.org>  Sun, 07 Jan 2018 09:31:30 +0100
 
diff --git a/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch b/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch
new file mode 100644
index 0000000..f2e8faf
--- /dev/null
+++ b/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch
@@ -0,0 +1,66 @@
+Description: demo: escape args to avoid XSS
+ Fixes CVE-2017-1000426,
+Author: Oliver Tonnhofer <olt at bogosoft.com>
+Origin: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28
+
+--- a/mapproxy/service/demo.py
++++ b/mapproxy/service/demo.py
+@@ -22,6 +22,7 @@ import os
+ import pkg_resources
+ import mimetypes
+ from collections import defaultdict
++from xml.sax.saxutils import escape
+ 
+ from mapproxy.config.config import base_config
+ from mapproxy.compat import PY2
+@@ -108,7 +109,10 @@ class DemoServer(Server):
+             demo = self._render_capabilities_template('demo/capabilities_demo.html', capabilities, 'WMTS', url)
+         elif 'tms_capabilities' in req.args:
+             if 'layer' in req.args and 'srs' in req.args:
+-                url = '%s/tms/1.0.0/%s/%s'%(req.script_url, req.args['layer'], req.args['srs'])
++                # prevent dir traversal (seems it's not possible with urllib2, but better safe then sorry)
++                layer = req.args['layer'].replace('..', '')
++                srs = req.args['srs'].replace('..', '')
++                url = '%s/tms/1.0.0/%s/%s'%(req.script_url, layer, srs)
+             else:
+                 url = '%s/tms/1.0.0/'%(req.script_url)
+             capabilities = urllib2.urlopen(url)
+@@ -171,14 +175,14 @@ class DemoServer(Server):
+     def _render_wms_template(self, template, req):
+         template = get_template(template, default_inherit="demo/static.html")
+         layer = self.layers[req.args['wms_layer']]
+-        srs = req.args['srs']
++        srs = escape(req.args['srs'])
+         bbox = layer.extent.bbox_for(SRS(srs))
+         width = bbox[2] - bbox[0]
+         height = bbox[3] - bbox[1]
+         min_res = max(width/256, height/256)
+         return template.substitute(layer=layer,
+                                    image_formats=self.image_formats,
+-                                   format=req.args['format'],
++                                   format=escape(req.args['format']),
+                                    srs=srs,
+                                    layer_srs=self.layer_srs,
+                                    bbox=bbox,
+@@ -202,8 +206,8 @@ class DemoServer(Server):
+         else:
+             add_res_to_options = False
+         return template.substitute(layer=tile_layer,
+-                                   srs=req.args['srs'],
+-                                   format=req.args['format'],
++                                   srs=escape(req.args['srs']),
++                                   format=escape(req.args['format']),
+                                    resolutions=res,
+                                    units=units,
+                                    add_res_to_options=add_res_to_options,
+@@ -223,8 +227,8 @@ class DemoServer(Server):
+             units = 'm'
+         return template.substitute(layer=wmts_layer,
+                                    matrix_set=wmts_layer.grid.name,
+-                                   format=req.args['format'],
+-                                   srs=req.args['srs'],
++                                   format=escape(req.args['format']),
++                                   srs=escape(req.args['srs']),
+                                    resolutions=wmts_layer.grid.resolutions,
+                                    units=units,
+                                    all_tile_layers=self.tile_layers,
diff --git a/debian/patches/series b/debian/patches/series
index 7ff43d8..7ce95c6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ offline-tests.patch
 0001-use-dummy-access_contraints-to-clarify-license.patch
 disable-tag_date.patch
 configuration-typo.patch
+0001-demo-escape-args-to-avoid-XSS.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/mapproxy.git

More information about the Pkg-grass-devel mailing list