[FFmpeg-devel] [PATCH] fateserver/history: escape untrusted data

Timothy Gu timothygu99 at gmail.com
Sun Mar 2 23:59:43 CET 2014

Fixes Cross-Site Script with:


or equivalent.

Signed-off-by: Timothy Gu <timothygu99 at gmail.com>

HTML::Entities is already used in report.cgi so no new dependency is


 history.cgi | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/history.cgi b/history.cgi
index 2204847..b51d19c 100755
--- a/history.cgi
+++ b/history.cgi
@@ -20,11 +20,14 @@ use warnings;
 use CGI qw/param/;
 use FATE;
 use Time::Zone;
+use HTML::Entities;
 my $slot = param 'slot';
 my $slotdir = "$fatedir/$slot";
-opendir D, $slotdir or fail "Slot $slot not found";
+my $slot_escaped = encode_entities $slot;
+opendir D, $slotdir or fail "Slot $slot_escaped not found";
 my @reps = grep { /^[0-9]/ and -d "$slotdir/$_" } readdir D;
 close D;

More information about the ffmpeg-devel mailing list