From f9609dae4f7fce6ca978c830f8e6311b7a94723c Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Tue, 16 Sep 2008 16:29:40 +0200 Subject: [PATCH] Do not HTML escape stuff we just got from the user before writing it to LDAP, set it as passwords, etc. Instead escape stuff we did read from LDAP. --- debian/changelog | 8 ++++++++ search.cgi | 3 +++ update.cgi | 21 +++++++++++++-------- 3 files changed, 24 insertions(+), 8 deletions(-) diff --git a/debian/changelog b/debian/changelog index 2c3169e..a88baf7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +userdir-ldap-cgi (0.3.19) unstable; urgency=low + + * Do not HTML escape stuff we just got from the user before + writing it to LDAP, set it as passwords, etc. Instead + escape stuff we did read from LDAP. + + -- Peter Palfrader Tue, 16 Sep 2008 16:21:32 +0200 + userdir-ldap-cgi (0.3.18) unstable; urgency=low * Add password checking via a python wrapper. diff --git a/search.cgi b/search.cgi index ff99da3..e3eb882 100755 --- a/search.cgi +++ b/search.cgi @@ -118,6 +118,9 @@ if (!$dosearch) { foreach $dn (sort {$entries->{$a}->{sn}->[0] <=> $entries->{$b}->{sn}->[0]} keys(%$entries)) { my $ok = 0; $data = $entries->{$dn}; + for my $key (keys %{$data}) { + @{$data->{$key}} = map { CGI::escapeHTML($_); } @{$data->{$key}}; + } # These are local variables.. i have enough global vars as it is... my ($ufdn, $login, $name, $icquin, $jabberjid, $email, $fingerprint, diff --git a/update.cgi b/update.cgi index 716faa9..8e74b3e 100755 --- a/update.cgi +++ b/update.cgi @@ -82,8 +82,9 @@ if (!($query->param('doupdate'))) { # First do the easy stuff - this catches most of the cases foreach (keys(%$entry)) { $data{$_} = $entry->{$_}->[0]; + $data{$_} = CGI::escapeHTML($data{$_}) if defined $data{$_}; } - + $data{gender} = 9 if not $data{gender}; # Now we have to fill in the rest that needs some processing... @@ -92,6 +93,7 @@ if (!($query->param('doupdate'))) { $data{editdn} = $editdn; $data{staddress} = $entry->{postaladdress}->[0]; $data{staddress} =~ s/\$/\n/; + $data{staddress} = CGI::escapeHTML($data{staddress}); $data{countryname} = &Util::LookupCountry($data{c}); if ($data{mailgreylisting} eq "TRUE") { @@ -106,7 +108,7 @@ if (!($query->param('doupdate'))) { $data{mailcallout} = ""; } - $data{email} = join(", ", @{$entry->{emailforward}}); + $data{email} = CGI::escapeHTML(join(", ", @{$entry->{emailforward}})); my $genderselect = ' (delete)\n"; + + (delete)\n"; $sudopassword .= $e; if ($status eq 'unconfirmed') { my $data = join(':', 'confirm-new-password', $uuid, $hosts, $crypted); my $hmac = hmac_sha1_hex( $data, $hmac_key); - $confirmstring .= "confirm sudopassword $uuid $hosts $hmac\n"; + $confirmstring .= CGI::escapeHTML("confirm sudopassword $uuid $hosts $hmac\n"); } }; if ($confirmstring ne '') { @@ -176,7 +178,10 @@ if (!($query->param('doupdate'))) { # Actually update stuff... my ($newpassword, $newstaddress); - &Util::FixParams($query); + # Good god, why would we want to do that here? it breaks password setting + # etc, and it doesn't prevent people from setting eveil stuff in ldap + # directly. + # &Util::FixParams($query); if (($query->param('labeleduri')) && ($query->param('labeleduri') !~ /^https?:\/\//i)) { -- 2.20.1