1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
Description: Check XSS in ::Plugins::Upgrade
Author: Maxime Besson <maxime.besson@worteks.com>
Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/614
Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/3257
Forwarded: not-needed
Applied-Upstream: 2.20.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/600ba2c0b3d4bb0a4dd2eb9d8b612edcca8805dc
Reviewed-By: Yadd <yadd@debian.org>
Last-Update: 2024-11-09
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/Upgrade.pm
@@ -79,6 +79,9 @@
$self->logger->debug(" -> Skip confirmation is enabled")
if $self->conf->{"skip${action}Confirmation"};
+ $url = '' if $self->p->checkXSSAttack('url', $url);
+ $forceUpgrade = '' if $self->p->checkXSSAttack('forceUpgrade', $forceUpgrade);
+
# Display form
return $self->p->sendHtml(
$req,
|
