Fix Cross-site Scripting (XSS) issue with link.php

This commit is contained in:
Morten Stevens 2017-07-06 14:11:38 +02:00
parent 859512b5bb
commit d6653ab510
2 changed files with 41 additions and 1 deletions

35
cacti-fix-xss.patch Normal file
View File

@ -0,0 +1,35 @@
From 3381cba6a9e36b01ed0ab0acfd41b00487966cb5 Mon Sep 17 00:00:00 2001
From: cigamit <jimmy@sqmail.org>
Date: Wed, 5 Jul 2017 06:45:03 -0500
Subject: [PATCH] Resolving Issue #838
Cross-site Scripting (XSS) issue with link.php
---
docs/CHANGELOG | 3 +++
lib/html_validate.php | 6 +++---
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/lib/html_validate.php b/lib/html_validate.php
index 3d5e97fad..d5cb6168f 100644
--- a/lib/html_validate.php
+++ b/lib/html_validate.php
@@ -48,16 +48,16 @@ function die_html_input_error($variable = '', $value = '', $message = '') {
global $config;
?>
- <table style="width:100%;text-align:center;">
+ <table style='width:100%;text-align:center;'>
<tr>
<td>
- Validation error<?php print ($variable != '' ? ' for variable ' . $variable . ', with value of "' . $value . '"' . ($message != '' ? ', and error:' . $message : '') : '');?>. See backtrace below for more details.
+ <?php print __('Validation error for variable %s with a value of %s. See backtrace below for more details.', $variable, htmlspecialchars($value));?>
</td>
</tr>
</table>
<?php
- cacti_debug_backtrace('Validation Error' . ($variable != '' ? ", Variable:$variable":"") . ($value != '' ? ", Value:$value":""), true);
+ cacti_debug_backtrace('Validation Error' . ($variable != '' ? ", Variable:$variable":'') . ($value != '' ? ", Value:$value":''), true);
bottom_footer();
exit;

View File

@ -1,6 +1,6 @@
Name: cacti
Version: 1.1.12
Release: 1%{?dist}
Release: 2%{?dist}
Summary: An rrd based graphing tool
License: GPLv2+
URL: http://www.cacti.net/
@ -9,6 +9,7 @@ Source1: cacti-httpd.conf
Source2: cacti.logrotate
Source3: cacti.README.fedora
Source4: %{name}.cron
Patch0: cacti-fix-xss.patch
# Requires PHP 5.3+
Requires: php(language) >= 5.3
@ -69,6 +70,7 @@ driven.
%prep
%setup -q
%patch0 -p1
%build
# cacti's build is a noop
@ -166,6 +168,9 @@ restorecon -Rv '/var/log/cacti' &> /dev/null || :
%attr(-,root,root) %{_localstatedir}/lib/%{name}/lib
%changelog
* Thu Jul 06 2017 Morten Stevens <mstevens@fedoraproject.org> - 1.1.12-2
- Fix Cross-site Scripting (XSS) issue with link.php
* Wed Jul 05 2017 Morten Stevens <mstevens@fedoraproject.org> - 1.1.12-1
- Update to 1.1.12