Here is the patch for jessie. -- Mathieu
From e296b805cc1def193d3e9efa6891e031f18cb1de Mon Sep 17 00:00:00 2001 From: Mathieu Parent <math.par...@gmail.com> Date: Thu, 4 Feb 2016 14:03:33 +0100 Subject: [PATCH] Escape form value, fix XSS in Horde_Core_VarRenderer_Html (Closes: #813590)
--- debian/changelog | 6 ++++++ debian/patches/0001-Escape-form-value.patch | 25 +++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 32 insertions(+) create mode 100644 debian/patches/0001-Escape-form-value.patch create mode 100644 debian/patches/series diff --git a/debian/changelog b/debian/changelog index 3a76ef5..950c5c6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +php-horde-core (2.15.0+debian0-2) unstable; urgency=medium + + * Escape form value, fix XSS in Horde_Core_VarRenderer_Html (Closes: #813590) + + -- Mathieu Parent <sath...@debian.org> Thu, 04 Feb 2016 14:03:38 +0100 + php-horde-core (2.15.0+debian0-1) unstable; urgency=medium * New upstream version 2.15.0+debian0 diff --git a/debian/patches/0001-Escape-form-value.patch b/debian/patches/0001-Escape-form-value.patch new file mode 100644 index 0000000..1907b08 --- /dev/null +++ b/debian/patches/0001-Escape-form-value.patch @@ -0,0 +1,25 @@ +From: Michael J Rubinsky <mrubi...@horde.org> +Date: Mon, 14 Dec 2015 09:27:09 -0500 +Subject: Escape form value. + +Even though this is a numeric field, this isn't enforced until +the form is submitted. + +(Adapted from upstream 11d74fa5a22fe626c5e5a010b703cd46a136f253) + +diff --git a/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php b/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php +index 62ae559..580dc27 100644 +--- a/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php ++++ b/Horde_Core-2.15.0/lib/Horde/Core/Ui/VarRenderer/Html.php +@@ -48,7 +48,7 @@ class Horde_Core_Ui_VarRenderer_Html extends Horde_Core_Ui_VarRenderer + return sprintf('<input type="text" size="5" name="%s" id="%s" value="%s"%s />', + htmlspecialchars($var->getVarName()), + $this->_genID($var->getVarName(), false), +- $value, ++ htmlspecialchars($value), + $this->_getActionScripts($form, $var) + ); + } +-- +2.7.0 + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..3a37ec8 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +0001-Escape-form-value.patch -- 2.7.0