diff mbox series

[16/16] proxy.cgi: Further fix for bug 13893

Message ID	20250925111252.11893-16-adolf.belka@ipfire.org
State	Staged
Commit	e22ecef885c34462565ae20020a32a27d0585dc3
Headers	From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Cc: Adolf Belka <adolf.belka@ipfire.org> Subject: [PATCH 16/16] proxy.cgi: Further fix for bug 13893 Date: Thu, 25 Sep 2025 13:12:52 +0200 Message-ID: <20250925111252.11893-16-adolf.belka@ipfire.org> In-Reply-To: <20250925111252.11893-1-adolf.belka@ipfire.org> References: <20250925111252.11893-1-adolf.belka@ipfire.org> Precedence: list Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 \| [01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 [02/16] ids.cgi: Fixes bug 13878 [03/16] ovpnclients.dat: Fixes bug 13879 [04/16] header.pl: Fixes bug 13880 [05/16] firewalllogip.dat: Fixes bug 13881 [06/16] firewalllogcountry.dat: Fixes bug 13882 [07/16] time.cgi: Fixes bug 13883 [08/16] ddns.cgi: Fixes bug 13884 [09/16] qos.cgi: Fixes bug 13885 [10/16] calamaris.dat: Fixes bug 13886 [11/16] urlfilter.cgi: Fixes bugs 13887, 13888 & 13889 [12/16] config.dat: Fixes bug 13890 [13/16] mail.cgi: Fixes bug 13891 [14/16] dns.cgi: Fixes bug 13892 [15/16] proxy.cgi: Fixes bug 13893 [16/16] proxy.cgi: Further fix for bug 13893

Commit Message

Adolf Belka 25 Sep 2025, 11:12 a.m. UTC

- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
   for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
   description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
   which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
   bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD

Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/proxy.cgi | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff mbox series

Patch

diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 1ade39381..3fbd78d2c 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -3977,8 +3977,16 @@  END
 		print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
 	}
 
-	if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; }
-	if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; }
+	if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq ''))
+		{
+			$proxysettings{'ADMIN_MAIL_ADDRESS'} = &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'});
+			print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n";
+		}
+	if (!($proxysettings{'ADMIN_PASSWORD'} eq ''))
+		{
+			$proxysettings{'ADMIN_PASSWORD'} = &Header::escape($proxysettings{'ADMIN_PASSWORD'});
+			print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n";
+		}
 	print FILE "\n";
 
 	print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n";
@@ -3994,8 +4002,13 @@  END
 		# login=*:password      ($proxysettings{'FORWARD_USERNAME'} eq 'on')
 		if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS'))
 		{
+			$proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'});
 			print FILE " login=$proxysettings{'UPSTREAM_USER'}";
-			if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; }
+			if ($proxy1 eq 'YES')
+			{
+				$proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'});
+				print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}";
+			}
 		}
 		elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; }