From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-4.0 required=3.0 tests=ALL_TRUSTED,BAYES_00 shortcircuit=no autolearn=ham autolearn_force=no version=3.4.0 Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id 230F720954 for ; Tue, 14 Mar 2017 21:25:32 +0000 (UTC) From: Eric Wong To: meta@public-inbox.org Subject: [PATCH] view: escape HTML description name Date: Tue, 14 Mar 2017 21:25:32 +0000 Message-Id: <20170314212532.13343-1-e@80x24.org> List-Id: Otherwise funky filenames can cause HTML injection vulnerabilities (hope you have JavaScript disabled!) --- lib/PublicInbox/View.pm | 1 + t/view.t | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/PublicInbox/View.pm b/lib/PublicInbox/View.pm index 0b1ec75..9ef4712 100644 --- a/lib/PublicInbox/View.pm +++ b/lib/PublicInbox/View.pm @@ -438,6 +438,7 @@ sub attach_link ($$$$;$) { } $ret .= "[-- Attachment #$idx: "; my $ts = "Type: $ct, Size: $size bytes"; + $desc = ascii_html($desc); $ret .= ($desc eq '') ? "$ts --]" : "$desc --]\n[-- $ts --]"; $ret .= "\n"; } diff --git a/t/view.t b/t/view.t index 46fbe41..2181b5e 100644 --- a/t/view.t +++ b/t/view.t @@ -124,7 +124,7 @@ EOF Email::MIME->create( attributes => { content_type => 'text/plain', - filename => "foo.patch", + filename => "foo&.patch", }, body => "--- a/file\n+++ b/file\n" . "@@ -49, 7 +49,34 @@\n", @@ -140,7 +140,7 @@ EOF ); my $html = msg_html($mime); - like($html, qr!.*Attachment #2: foo\.patch --!, + like($html, qr!.*Attachment #2: foo&(?:amp|#38);\.patch --!, "parts split with filename"); } -- EW