Bug#342943: only kronolith2 fixed

Lionel Elie Mamane Sun, 22 Jan 2006 00:18:20 -0800

package kronolith
reopen 349261
tags 349261 +help
thanks

On Sat, Jan 21, 2006 at 03:56:30PM -0500, Joey Hess wrote:
> clone 342943 -1
> reassign -1 kronolith
> thanks


> This security hole was fixed in kronolith2, but the kronolith
> package is still present in unstable and still, presumably, has this
> hole.

Thank you for warning us. However, kronolith 1 is not maintained
upstream anymore and no patch for this issue is available from
upstream.

I've tried to backport the upstream patch for kronolith 2, but most
files touched don't actually exist in kronolith 1, as well as a
sizeable part of the code touched in the files that do exist. Here is
my measle backport attempt, but I'd really like someone that
understands the issue to review it and see if nothing has been left
out. Do we have someone of that calibre (and willing to do it)
available in Debian?


Maybe it is getting time to dump Horde2 from etch/sid, as the pain to
keeping it in has actually increased significantly. What do you think
about this Ola & Jose? The problem stays for sarge, though.


-- 
Lionel

diff --recursive -uN kronolith-1.1.4/templates/data/export.inc 
kronolith-1.1.4.deb/templates/data/export.inc
--- kronolith-1.1.4/templates/data/export.inc   2003-02-13 00:23:36.000000000 
+0100
+++ kronolith-1.1.4.deb/templates/data/export.inc       2006-01-22 
08:09:09.000000000 +0100
@@ -113,7 +113,7 @@
             <td>
 <?php
 $end_year_match = $start_year_match;
-$end_month_match = $start_month_match +1;
+$end_month_match = $start_month_match + 1;
 $end_day_match = $start_day_match;
 $end_hour_match = $start_hour_match;
 $end_min_match = $start_min_match;
diff --recursive -uN kronolith-1.1.4/templates/delete/delete.inc 
kronolith-1.1.4.deb/templates/delete/delete.inc
--- kronolith-1.1.4/templates/delete/delete.inc 2003-04-17 18:37:13.000000000 
+0200
+++ kronolith-1.1.4.deb/templates/delete/delete.inc     2006-01-22 
08:22:49.000000000 +0100
@@ -3,21 +3,24 @@
         $url = Kronolith::addParameter('month.php', 'month=' . $month);
         $url = Kronolith::addParameter($url, 'year=' . $year);
         $url = Horde::applicationUrl($url, true);
+    } else {
+       // Escape URLs that came from client-side input.
+       $url = htmlspecialchars($url);
     }
 ?>
 <form action="<?php echo Horde::applicationUrl('deleventaction.php') ?>" 
method="post" target="_self" name="delete">
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>" 
/>
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month 
?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo 
htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo 
htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo 
htmlspecialchars($day) ?>" />
 <input type="hidden" name="url" value="<?php echo $url ?>" />
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="eventID" value="<?php echo 
htmlspecialchars($event->getID()) ?>" />
 
 <center>
 <table border="0" cellspacing="0" cellpadding="4" align="center">
 
 <!-- header -->
 <tr class="header"> 
- <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), 
$event->getTitle()) ?></b></td>
+ <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), 
htmlspecialchars($event->getTitle())) ?></b></td>
 </tr>
 
 <!-- description -->
@@ -31,7 +34,7 @@
   <input type="submit" class="button" name="current" value="<?php echo 
_("Current") ?>" />
   <input type="submit" class="button" name="future" value="<?php echo 
_("Future") ?>" />
   <input type="submit" class="button" name="all" value="<?php echo _("All") 
?>" />
-  <input type="submit" class="button" name="cancel" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo $url; ?>'; return false;" 
/>
+  <input type="submit" class="button" name="cancel" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo htmlspecialchars($url); 
?>'; return false;" />
  </td>
 </tr>
 
diff --recursive -uN kronolith-1.1.4/templates/delete/one.inc 
kronolith-1.1.4.deb/templates/delete/one.inc
--- kronolith-1.1.4/templates/delete/one.inc    2003-04-17 18:37:13.000000000 
+0200
+++ kronolith-1.1.4.deb/templates/delete/one.inc        2006-01-22 
08:16:23.000000000 +0100
@@ -6,18 +6,18 @@
     }
 ?>
 <form action="<?php echo Horde::applicationUrl('deleventaction.php') ?>" 
method="post" name="delete">
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>" 
/>
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month 
?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="url" value="<?php echo $url ?>" />
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo 
htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo 
htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo 
htmlspecialchars($day) ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
+<input type="hidden" name="eventID" value="<?php echo 
htmlspecialchars($event->getID()) ?>" />
 
 <center>
 <table border="0" cellspacing="0" cellpadding="4" align="center">
 
 <!-- header -->
 <tr class="header"> 
- <td align="left" class="header"><b><?php echo sprintf(_("Delete %s"), 
$event->getTitle()) ?></b></td>
+ <td align="left" class="header"><b><?php printf(_("Delete %s"), 
htmlspecialchars($event->getTitle())) ?></b></td>
 </tr>
 
 <!-- description -->
@@ -29,7 +29,7 @@
 <tr>
  <td align="left">
   <input type="submit" class="button" name="delete" value="<?php echo 
_("Delete") ?>" />
-  <input type="submit" class="button" name="cancel" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo $url; ?>'; return false;" 
/>
+  <input type="submit" class="button" name="cancel" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo htmlspecialchars($url); 
?>'; return false;" />
  </td>
 </tr>
 
diff --recursive -uN kronolith-1.1.4/templates/edit/edit.inc 
kronolith-1.1.4.deb/templates/edit/edit.inc
--- kronolith-1.1.4/templates/edit/edit.inc     2004-07-22 17:52:59.000000000 
+0200
+++ kronolith-1.1.4.deb/templates/edit/edit.inc 2006-01-22 08:34:15.000000000 
+0100
@@ -27,16 +27,16 @@
 ?>
 <form action="<?php echo ($event->isInitialized() ? 'editeventaction.php' : 
'addeventaction.php') ?>" method="post" name="event">
 <?php Horde::pformInput() ?>
-<input type="hidden" name="year" value="<?php if (isset($year)) echo $year ?>" 
/>
-<input type="hidden" name="month" value="<?php if (isset($month)) echo $month 
?>" />
-<input type="hidden" name="mday" value="<?php if (isset($day)) echo $day ?>" />
-<input type="hidden" name="timestamp" value="<?php if (isset($timestamp)) echo 
$timestamp ?>" />
+<input type="hidden" name="year" value="<?php if (isset($year)) echo 
htmlspecialchars($year) ?>" />
+<input type="hidden" name="month" value="<?php if (isset($month)) echo 
htmlspecialchars($month) ?>" />
+<input type="hidden" name="mday" value="<?php if (isset($day)) echo 
htmlspecialchars($day) ?>" />
+<input type="hidden" name="timestamp" value="<?php if (isset($timestamp)) echo 
htmlspecialchars($timestamp) ?>" />
 <input type="hidden" name="new_category" value="" />
 <?php if (isset($url)): ?>
-<input type="hidden" name="url" value="<?php echo $url ?>" />
+<input type="hidden" name="url" value="<?php echo htmlspecialchars($url) ?>" />
 <?php endif; ?>
 <?php if ($event->isInitialized()): ?>
-<input type="hidden" name="eventID" value="<?php echo $event->getID() ?>" />
+<input type="hidden" name="eventID" value="<?php echo 
htmlspecialchars($event->getID()) ?>" />
 <?php endif; ?>
 
 <center>
@@ -55,7 +55,7 @@
   <input type="submit" class="button" name="saveAsNew" value="<?php echo 
_("Save As New") ?>" onclick="return checkCategory();" />
   <input type="submit" class="button" name="delete" value="<?php echo 
_("Delete Event") ?>" onclick="self.location = '<?php echo $delurl; ?>'; return 
false;" />
 <?php endif; ?>
-  <input type="submit" name="cancel" class="button" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo $cancelurl; ?>'; return 
false;" />
+  <input type="submit" name="cancel" class="button" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo $cancelurl ?>'; return 
false;" />
   <input type="button" name="resetButton" class="button" value="<?php echo 
_("Reset to Defaults") ?>" onclick="document.event.reset(); 
updateWday('start_wday'); updateWday('end_wday');" />
  </td>
 </tr>
@@ -335,7 +335,7 @@
     </td>
    <?php if (($count % 3 == 2) || ($count == count($keywords) - 1)): ?>
    </tr>
-   <?php endif; $count++; ?>
+   <?php endif; ++$count; ?>
    <?php endforeach; ?>
   </table>
  </td>
@@ -350,7 +350,7 @@
   <input type="submit" class="button" name="saveAsNew" value="<?php echo 
_("Save As New") ?>" onclick="return checkCategory();" />
   <input type="submit" class="button" name="delete" value="<?php echo 
_("Delete Event") ?>" onclick="self.location = '<?php echo $delurl; ?>'; return 
false;" />
 <?php endif; ?>
-  <input type="submit" name="cancel" class="button" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo $cancelurl; ?>'; return 
false;" />
+  <input type="submit" name="cancel" class="button" value="<?php echo 
_("Cancel") ?>" onclick="self.location = '<?php echo $cancelurl ?>'; return 
false;" />
   <input type="button" name="resetButton" class="button" value="<?php echo 
_("Reset to Defaults") ?>" onclick="document.event.reset(); 
updateWday('start_wday'); updateWday('end_wday');" />
   </td>
  </tr>
diff --recursive -uN kronolith-1.1.4/templates/view/view.inc 
kronolith-1.1.4.deb/templates/view/view.inc
--- kronolith-1.1.4/templates/view/view.inc     2003-04-17 18:37:13.000000000 
+0200
+++ kronolith-1.1.4.deb/templates/view/view.inc 2006-01-22 08:24:08.000000000 
+0100
@@ -137,10 +137,10 @@
 </tr>
 <?php foreach ($keyword_list as $cat => $list): ?>
 <tr>
- <td align="right" class="light" valign="top"><b><?php echo $cat 
?>&nbsp;&nbsp;</b></td>
+ <td align="right" class="light" valign="top"><b><?php echo 
htmlspecialchars($cat) ?>&nbsp;&nbsp;</b></td>
  <td align="left" class="text" colspan="3">
 <?php foreach ($list as $entry): ?>
-  <?php echo $entry ?><br />
+  <?php echo htmlspecialchars($entry) ?><br />
 <?php endforeach; ?>
  </td>
 </tr>

Bug#342943: only kronolith2 fixed

Reply via email to