[FFmpeg-devel] [PATCH] fateserver/history: escape untrusted data

Timothy Gu timothygu99 at gmail.com
Sun Mar 2 23:59:43 CET 2014


Fixes Cross-Site Script with:

http://fate.ffmpeg.org/history.cgi?slot="><script>alert(1)</script>

or equivalent.

Signed-off-by: Timothy Gu <timothygu99 at gmail.com>
---

HTML::Entities is already used in report.cgi so no new dependency is
needed.

---

 history.cgi | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/history.cgi b/history.cgi
index 2204847..b51d19c 100755
--- a/history.cgi
+++ b/history.cgi
@@ -20,11 +20,14 @@ use warnings;
 use CGI qw/param/;
 use FATE;
 use Time::Zone;
+use HTML::Entities;
 
 my $slot = param 'slot';
 my $slotdir = "$fatedir/$slot";
 
-opendir D, $slotdir or fail "Slot $slot not found";
+my $slot_escaped = encode_entities $slot;
+
+opendir D, $slotdir or fail "Slot $slot_escaped not found";
 my @reps = grep { /^[0-9]/ and -d "$slotdir/$_" } readdir D;
 close D;
 
-- 
1.8.3.2



More information about the ffmpeg-devel mailing list