Fix showing echelon information. It needs unescaped input

diff --git a/Util.pm b/Util.pm
index 7f19694..374a592 100644 (file)
--- a/Util.pm
+++ b/Util.pm
@@ -228,16 +228,21 @@ sub FormatLastSeen {
   my ($d1, $d2, $lastseen);
 
   return "<b>No activity detected</b>" if (!$lastseenpgp && !$lastseenfrom);
+  $lastseen = $lastseenpgp;
   $lastseen = $lastseenfrom if (!$lastseenpgp);
 
   if ($lastseenfrom && $lastseenpgp) {
-    ($d1) = ($lastseenpgp =~ /^\[(.+?)\]/); $d1 = ParseDate($d1);  
+    ($d1) = ($lastseenpgp =~ /^\[(.+?)\]/); $d1 = ParseDate($d1);
     ($d2) = ($lastseenfrom =~ /^\[(.+?)\]/); $d2 = ParseDate($d2);
     $lastseen = (($d1 gt $d2) ? $lastseenpgp : $lastseenfrom);
   }
 
-  my ($date,$user,$list,$msgid) = ($lastseen =~ /^\[(.+?)\]\s+"(.+?)"\s+"(?:<(.+?)>.*?|\-)"\s+"<(.+?)>"/);
+  my ($date,$user,$list,$msgid) = ($lastseen =~ /^\[(.+?)\]\s+"(.+?)"\s+"(?:<(.+?)>.*?|\-)"\s+"(<.+?>)"/);
   $list = "on $list" if ($list);
+  $date = CGI::escapeHTML($date);
+  $user = CGI::escapeHTML($user);
+  $list = CGI::escapeHTML($list);
+  $msgid = CGI::escapeHTML($msgid);
   return "$date $list<br>&nbsp;Message ID: $msgid";
 }
 

diff --git a/debian/changelog b/debian/changelog
index 568ac49..b7120f2 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+userdir-ldap-cgi (0.3.27) unstable; urgency=low
+
+  * Fix showing echelon information.  It needs unescaped input.
+
+ -- Peter Palfrader <weasel@debian.org>  Wed, 13 May 2009 00:11:34 +0200
+
 userdir-ldap-cgi (0.3.26) unstable; urgency=low
 
   * In machines.cgi: do not skip [[- purposes. "[[-<hostname>]]" gets

diff --git a/search.cgi b/search.cgi
index e3eb882..dcab35b 100755 (executable)
--- a/search.cgi
+++ b/search.cgi
@@ -117,14 +117,18 @@ if (!$dosearch) {
   # Format the output....
   foreach $dn (sort {$entries->{$a}->{sn}->[0] <=> $entries->{$b}->{sn}->[0]} keys(%$entries)) {
     my $ok = 0;
+    # These are local variables.. i have enough global vars as it is... <sigh>
+    my ($ufdn, $login, $name, $icquin, $jabberjid, $email, $fingerprint,
+       $address, $latlong, $vacation, $created, $modified, $lastseen, $gender) = undef;
+
+    # Last seen information (Echelon)
+    $lastseen = &Util::FormatLastSeen($entries->{$dn}->{"activity-pgp"}->[0],
+                                      $entries->{$dn}->{"activity-from"}->[0]);
+
     $data = $entries->{$dn};
     for my $key (keys %{$data}) {
       @{$data->{$key}} = map { CGI::escapeHTML($_); } @{$data->{$key}};
     }
-
-    # These are local variables.. i have enough global vars as it is... <sigh>
-    my ($ufdn, $login, $name, $icquin, $jabberjid, $email, $fingerprint,
-       $address, $latlong, $vacation, $created, $modified, $lastseen, $gender) = undef;
     
     $ufdn = $dn; # Net::LDAP does not have a dn2ufn function, but this is close enough :)
     
@@ -179,10 +183,6 @@ if (!$dosearch) {
     $modified = &Util::FormatTimestamp($data->{modifytimestamp}->[0]);
     $created =  &Util::FormatTimestamp($data->{createtimestamp}->[0]);
 
-    # Last seen information (Echelon)
-    $lastseen = &Util::FormatLastSeen($data->{"activity-pgp"}->[0],
-                                      $data->{"activity-from"}->[0]);
-
     # Link in the debian login id 
     $login = $data->{uid}->[0];
     $login = "$login";