[FFmpeg-devel] [PATCH] fateserver/history: escape untrusted data
Timothy Gu
timothygu99 at gmail.com
Sun Mar 2 23:59:43 CET 2014
Fixes Cross-Site Script with:
http://fate.ffmpeg.org/history.cgi?slot="><script>alert(1)</script>
or equivalent.
Signed-off-by: Timothy Gu <timothygu99 at gmail.com>
---
HTML::Entities is already used in report.cgi so no new dependency is
needed.
---
history.cgi | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/history.cgi b/history.cgi
index 2204847..b51d19c 100755
--- a/history.cgi
+++ b/history.cgi
@@ -20,11 +20,14 @@ use warnings;
use CGI qw/param/;
use FATE;
use Time::Zone;
+use HTML::Entities;
my $slot = param 'slot';
my $slotdir = "$fatedir/$slot";
-opendir D, $slotdir or fail "Slot $slot not found";
+my $slot_escaped = encode_entities $slot;
+
+opendir D, $slotdir or fail "Slot $slot_escaped not found";
my @reps = grep { /^[0-9]/ and -d "$slotdir/$_" } readdir D;
close D;
--
1.8.3.2
More information about the ffmpeg-devel
mailing list