Andrew Donnellan discovered an XSS via the message-id field. A malicious user could send a patch with a message ID that included a script tag. Because of the quirks of the email RFCs, such a message ID can survive being sent through many mail systems, including Gmail, and be parsed and stored by Patchwork. When a user views a patch detail page for the patch with this message id, the script would be run.
This is due to an erroneous mark_safe() in the template tag that renders message IDs. This has been present since v1.1 of upstream Patchwork, but does not affect the FreeDesktop fork. The bug is fixed in patch 1. If you run a patchwork instance, you should apply it immediately. There is also a test patch, patch 2, that you may find helpful. Over the last few days we have disclosed this bug to the admins of patchwork instances that we could identify. We were hoping to give people running instances a few more days but the embargo was accidentally broken early, so we're letting you all know now. I have already applied these patches to the git repository. I have also backported the patches to 2.1 and 2.0, pushed them, and will do a new release of both shortly. Kind regards, Daniel Andrew Donnellan (2): templatetags: Do not mark output of msgid tag as safe tests: Add test for unescaped values in patch detail page patchwork/templatetags/patch.py | 3 ++- patchwork/tests/test_detail.py | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) -- 2.20.1 _______________________________________________ Patchwork mailing list Patchwork@lists.ozlabs.org https://lists.ozlabs.org/listinfo/patchwork