* [PATCH] view: escape HTML description name
@ 2017-03-14 21:25 Eric Wong
0 siblings, 0 replies; only message in thread
From: Eric Wong @ 2017-03-14 21:25 UTC (permalink / raw)
To: meta
Otherwise funky filenames can cause HTML injection
vulnerabilities (hope you have JavaScript disabled!)
---
lib/PublicInbox/View.pm | 1 +
t/view.t | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm
index 0b1ec75..9ef4712 100644
--- a/lib/PublicInbox/View.pm
+++ b/lib/PublicInbox/View.pm
@@ -438,6 +438,7 @@ sub attach_link ($$$$;$) {
}
$ret .= "[-- Attachment #$idx: ";
my $ts = "Type: $ct, Size: $size bytes";
+ $desc = ascii_html($desc);
$ret .= ($desc eq '') ? "$ts --]" : "$desc --]\n[-- $ts --]";
$ret .= "</a>\n";
}
diff --git a/t/view.t b/t/view.t
index 46fbe41..2181b5e 100644
--- a/t/view.t
+++ b/t/view.t
@@ -124,7 +124,7 @@ EOF
Email::MIME->create(
attributes => {
content_type => 'text/plain',
- filename => "foo.patch",
+ filename => "foo&.patch",
},
body => "--- a/file\n+++ b/file\n" .
"@@ -49, 7 +49,34 @@\n",
@@ -140,7 +140,7 @@ EOF
);
my $html = msg_html($mime);
- like($html, qr!.*Attachment #2: foo\.patch --!,
+ like($html, qr!.*Attachment #2: foo&(?:amp|#38);\.patch --!,
"parts split with filename");
}
--
EW
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2017-03-14 21:25 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-14 21:25 [PATCH] view: escape HTML description name Eric Wong
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).