tags 604060 + patch tags 604060 + pending thanks Dear maintainer,
I've prepared an NMU for pootle (versioned as 2.0.5-0.3) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer. Regards.
diff -u pootle-2.0.5/debian/changelog pootle-2.0.5/debian/changelog --- pootle-2.0.5/debian/changelog +++ pootle-2.0.5/debian/changelog @@ -1,3 +1,14 @@ +pootle (2.0.5-0.3) unstable; urgency=medium + + * Non-maintainer upload. + * Fix XSS vulnerability with patch in + local_apps/pootle_app/views/language/translate_page.py + Thanks to Luciano Bello and Friedel Wolff for the notification + (Closes: #604060) + * Set urgency medium due to RC bug fix + + -- Alexander Reichle-Schmehl <toli...@debian.org> Mon, 29 Nov 2010 17:47:31 +0100 + pootle (2.0.5-0.2) unstable; urgency=medium * Non-maintainer upload with maintainer's agreement diff -u pootle-2.0.5/debian/patches/series pootle-2.0.5/debian/patches/series --- pootle-2.0.5/debian/patches/series +++ pootle-2.0.5/debian/patches/series @@ -5,0 +6 @@ +604060.patch only in patch2: unchanged: --- pootle-2.0.5.orig/debian/patches/604060.patch +++ pootle-2.0.5/debian/patches/604060.patch @@ -0,0 +1,20 @@ +--- a/local_apps/pootle_app/views/language/translate_page.py ++++ b/local_apps/pootle_app/views/language/translate_page.py +@@ -28,7 +28,7 @@ from django.conf import settings + from django.core.exceptions import PermissionDenied + from django.shortcuts import render_to_response + from django.template import RequestContext +-from django.utils.html import urlize ++from django.utils.html import urlize, escape + from django.utils.translation import ugettext as _ + from django.utils.translation import ungettext + +@@ -72,7 +72,7 @@ def add_file_links(request, store): + checknames = \ + ["<a href='http://translate.sourceforge.net/wiki/toolkit/pofilter_tests#%(checkname)s' \ + title='%(checkname)s' target='_blank'>%(checkname)s</a>" % \ +- {"checkname": matchname.replace("check-", "", 1)} for matchname in state.match_names] ++ {"checkname": escape(matchname.replace("check-", "", 1))} for matchname in state.match_names] + # TODO: put the following parameter in quotes, since it will be foreign in all target languages + # l10n: the parameter is the name of one of the quality checks, like "fuzzy" + template_vars["checking_text"] = _("checking %s", ", ".join(checknames))
