From patchwork Wed May 24 08:20:41 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 6915
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4QR3zN1gzpz3wlf
	for <patchwork@web04.haj.ipfire.org>; Wed, 24 May 2023 08:20:48 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4QR3zM0x6FzyB;
	Wed, 24 May 2023 08:20:47 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4QR3zL6sHvz2yTC;
	Wed, 24 May 2023 08:20:46 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384))
 (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4QR3zL07f4z2xk2
 for <development@lists.ipfire.org>; Wed, 24 May 2023 08:20:45 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK))
 by mail01.ipfire.org (Postfix) with ESMTPS id 4QR3zJ633YzBm;
 Wed, 24 May 2023 08:20:44 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
 id 4QR3zJ4DZBzThFj; Wed, 24 May 2023 08:20:44 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] clwarn.cgi: Remove XSS
Date: Wed, 24 May 2023 08:20:41 +0000
Message-Id: <20230524082041.266912-1-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Cc: Arthur Naullet <arthur.naullet@epita.fr>,
 Michael Tremer <michael.tremer@ipfire.org>,
 Rafael Lima <isec-researcher@protonmail.com>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Fixes: #12966
Reported-by: Arthur Naullet <arthur.naullet@epita.fr>
Reported-by: Rafael Lima <isec-researcher@protonmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/html/clwarn.cgi | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/html/html/clwarn.cgi b/html/html/clwarn.cgi
index 44f7f98ab..c7a415cdb 100644
--- a/html/html/clwarn.cgi
+++ b/html/html/clwarn.cgi
@@ -20,6 +20,7 @@
 ###############################################################################
 
 use CGI qw(param);
+use HTML::Entities();
 
 # enable only the following on debugging purpose
 use warnings;
@@ -30,11 +31,11 @@ $swroot="/var/ipfire";
 
 my $TITLE_VIRUS = "SquidClamAv Virus detection";
 
-my $url = param('url') || '';
-my $virus = param('virus') || '';
-my $source = param('source') || '';
+my $url = &HTML::Entities::encode_entities(param('url') || '');
+my $virus = &HTML::Entities::encode_entities(param('virus') || '');
+my $source = &HTML::Entities::encode_entities(param('source') || '');
 $source =~ s/\/-//;
-my $user = param('user') || '';
+my $user = &HTML::Entities::encode_entities(param('user') || '');
 
 
 # Remove clamd infos