Bug#731797: marked as done (ikiwiki: osm plugin does not correctly sanitize parameters)

Sat, 25 Jan 2014 13:52:10 -0800 

Your message dated Sat, 25 Jan 2014 21:50:15 +0000
with message-id <[email protected]>
and subject line Bug#731797: fixed in ikiwiki 3.20140125
has caused the Debian Bug report #731797,
regarding ikiwiki: osm plugin does not correctly sanitize parameters
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
731797: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731797
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: ikiwiki
Version: 3.20130904.1
Severity: normal
Tags: upstream

The osm plugin uses htmlscrubber (if enabled) to sanitize some parameters. In
my setup it is enabled, but it still does not correctly escape some fields. In
particular, the "name" parameter is included verbatim, breaking involuntarily
javascript when the name contains a single quote/apostrophe ('). This is
obviously also a security risk, as javascript code injection becomes trivial.

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (50, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.11-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_IE.utf8, LC_CTYPE=en_IE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages ikiwiki depends on:
ii  libhtml-parser-perl             3.71-1+b1
ii  libhtml-scrubber-perl           0.11-1
ii  libhtml-template-perl           2.95-1
ii  libjson-perl                    2.61-1
ii  libtext-markdown-discount-perl  0.10-1+b1
ii  liburi-perl                     1.60-1
ii  libyaml-libyaml-perl            0.41-1
ii  perl                            5.18.1-5

Versions of packages ikiwiki recommends:
ii  gcc [c-compiler]             4:4.8.1-3
ii  gcc-4.8 [c-compiler]         4.8.2-8
ii  git [git-core]               1:1.8.5.1-1
pn  libauthen-passphrase-perl    <none>
ii  libc6-dev [libc-dev]         2.17-97
pn  libcgi-formbuilder-perl      <none>
pn  libcgi-session-perl          <none>
pn  libcrypt-ssleay-perl         <none>
pn  libgravatar-url-perl         <none>
pn  liblwpx-paranoidagent-perl   <none>
pn  libmail-sendmail-perl        <none>
pn  libnet-openid-consumer-perl  <none>
pn  librpc-xml-perl              <none>
pn  libterm-readline-gnu-perl    <none>
ii  libtimedate-perl             2.3000-1
ii  libxml-simple-perl           2.20-1
ii  mercurial                    2.8.1-2
ii  subversion                   1.7.13-3

Versions of packages ikiwiki suggests:
pn  dvipng                      <none>
ii  file                        1:5.14-2
ii  gettext                     0.18.3.1-2
pn  graphviz                    <none>
pn  libfile-mimeinfo-perl       <none>
pn  libhighlight-perl           <none>
ii  libhtml-tree-perl           5.03-1
ii  liblocale-gettext-perl      1.05-7+b2
ii  libmailtools-perl           2.12-1
pn  libnet-amazon-s3-perl       <none>
pn  libnet-inet6glue-perl       <none>
pn  libsearch-xapian-perl       <none>
ii  libsort-naturally-perl      1.02-1
pn  libsparkline-php            <none>
pn  libtext-csv-perl            <none>
pn  libtext-multimarkdown-perl  <none>
pn  libtext-textile-perl        <none>
pn  libtext-typography-perl     <none>
pn  libtext-wikicreole-perl     <none>
pn  libtext-wikiformat-perl     <none>
pn  libxml-feed-perl            <none>
ii  libxml-writer-perl          0.623-1
pn  perlmagick                  <none>
pn  po4a                        <none>
pn  polygen                     <none>
ii  python                      2.7.5-5
ii  python-docutils             0.11-2
pn  texlive                     <none>
pn  tidy                        <none>
pn  viewvc | gitweb | viewcvs   <none>
pn  xapian-omega                <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: ikiwiki
Source-Version: 3.20140125

We believe that the bug you reported is fixed in the latest version of
ikiwiki, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joey Hess <[email protected]> (supplier of updated ikiwiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 25 Jan 2014 16:40:32 -0400
Source: ikiwiki
Binary: ikiwiki
Architecture: source all
Version: 3.20140125
Distribution: unstable
Urgency: medium
Maintainer: Joey Hess <[email protected]>
Changed-By: Joey Hess <[email protected]>
Description: 
 ikiwiki    - a wiki compiler
Closes: 731797 735123
Changes: 
 ikiwiki (3.20140125) unstable; urgency=medium
 .
   * inline: Allow overriding the title of the feed. Closes: #735123
     Thanks, Christophe Rhodes
   * osm: Escape name parameter. Closes: #731797
Checksums-Sha1: 
 b68a1b1e727cd240f12e7163ef459748e7fc3900 1842 ikiwiki_3.20140125.dsc
 215f52dc53def45cc2a4d1781d64d3d08ff545a9 3170332 ikiwiki_3.20140125.tar.gz
 9d418c5d6d8309a4ba1aa5023903526b9d0f864f 1507968 ikiwiki_3.20140125_all.deb
Checksums-Sha256: 
 4efed115246ca78060490f96e1bc11a7aec36f84c6706a734778f32f978b8836 1842 
ikiwiki_3.20140125.dsc
 0d822a02eca7b749d7b7d57eb0c1ac362c63093c72b8591fd7db5e54612f291b 3170332 
ikiwiki_3.20140125.tar.gz
 bee3eca48fef51caa0ececf62380f5bdc97053753e521f2f7baead61058835a5 1507968 
ikiwiki_3.20140125_all.deb
Files: 
 4acce3ca08d406615057c13c66eae83f 1842 web optional ikiwiki_3.20140125.dsc
 dffb835165464354d12e30f18360f81e 3170332 web optional ikiwiki_3.20140125.tar.gz
 fbf63f4c7d3d486a2b31458e499756d6 1507968 web optional 
ikiwiki_3.20140125_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBUuQu/8kQ2SIlEuPHAQhC7A/9HIt05AypUe/0/gjKoErNny1XRg9WozNn
CSyxZcewxiSPhZuO2PsYH9280iv6VeXDG1SI82D1S2k9ksc6K+oeW+J6Xgqx52Ku
s7A6eucNjaVt7bY5LGeSNgs/vgZsIljUVfvFjoQ8gyt3xn4WUy27y9lQg9QEaDFw
4fzJ1dRTTvFxTjv5BcGLF0ysdAENrkrqV5v7QxuPY8R5Ovn20t1FqViX/MJW1WQV
XPQtktP+JkiCntl3TLAKIg4p8ID4w7u5opAXpzu5Ax40+FrA87v9kHdxCJo3+Rn6
yjmBySvFiIxtY97U+wK0osHmeh2DL51VqVpfiHTDCc0DWh+37ZiapMfpQpK9zumC
seURUFA77vmIEQ+k0wwm1rLlYvidIK3uAf8ix50U/rYTSfcHvH9eSdjuYper/JlG
t/uIbkA/QD1IGRtkoWZWB+3E4r465wdGw9HnSTBe1kNxfDyAcD7CXl0lysYnDS3Q
NTq3Ye3+O8LjUic2JNa6bXHK5TbwVkcGZyIjMP/K97oGZ2kbVUZrPOL/P4eTR4ny
awxY66zi7ShjeGJlG46J0Wm219EjuKaOqh/DpDPJwKcTPkGBpOwWuJR1KIb2NE83
byvJfuNzEGpUUVio5Yk7DsVmVYFAxt8ScZrv8I9ruqaylO0toHEsSYfBwN24LSV9
2mVntk6Cs+0=
=QXQU
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to