File: 0002-CVE-2019-12095-Fix-XSS-vuln-in-the-Horde-Cloud-Block.patch

package info (click to toggle)
php-horde 5.2.13%2Bdebian0-1%2Bdeb9u2
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 12,652 kB
  • sloc: php: 11,153; xml: 6,751; javascript: 5,560; sh: 92; makefile: 33; sql: 1
file content (50 lines) | stat: -rw-r--r-- 2,345 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
 
From 81a7b53973506856db67e7f0b0263be29528aa75 Mon Sep 17 00:00:00 2001
From: Michael J Rubinsky <mrubinsk@horde.org>
Date: Sat, 20 Apr 2019 17:34:41 -0400
Subject: [PATCH] Fix XSS vuln in the Horde Cloud Block.

---
 horde-5.2.13/lib/Block/Cloud.php              | 6 +++++-
 horde-5.2.13/services/portal/cloud_search.php | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/horde-5.2.13/lib/Block/Cloud.php b/horde-5.2.13/lib/Block/Cloud.php
index 92a44255..9df5bf3c 100644
--- a/horde-5.2.13/lib/Block/Cloud.php
+++ b/horde-5.2.13/lib/Block/Cloud.php
@@ -13,6 +13,10 @@ class Horde_Block_Cloud extends Horde_Core_Block
         $this->_name = _("Tag Cloud");
     }
 
+    protected function _escapeJs($string)
+    {
+        return str_replace("\n", '\n', str_replace('"', '\"', addcslashes(str_replace("\r", '', (string)$string), "\0..\37'\\")));
+    }
     /**
      */
     protected function _content()
@@ -21,7 +25,7 @@ class Horde_Block_Cloud extends Horde_Core_Block
         foreach ($this->_getTags() as $tag) {
             $cloud->addElement(
                 $tag['tag_name'], '#', $tag['count'], null,
-                'doSearch(\'' . $tag['tag_name'] . '\'); return false;');
+                'doSearch(\'' . htmlspecialchars($this->_escapeJs($tag['tag_name'])) . '\'); return false;');
         }
 
         Horde::startBuffer();
diff --git a/horde-5.2.13/services/portal/cloud_search.php b/horde-5.2.13/services/portal/cloud_search.php
index d72da96e..0d44b5a5 100644
--- a/horde-5.2.13/services/portal/cloud_search.php
+++ b/horde-5.2.13/services/portal/cloud_search.php
@@ -43,7 +43,7 @@ foreach ($results as $result) {
     echo '<li class="linedRow"><span style="width:50%"> ' .
          (empty($result['icon']) ? Horde_Themes_Image::tag(Horde_Themes::img($result['app'] . '.png', array('app' => $result['app'])), array('alt' => $result['app'])) : '') .
          Horde::link($result['view_url'], '', '', '', '', '', '', array('style' => 'margin:4px')) .
-         (empty($result['icon']) ? $result['title'] : '<img src="' . $result['icon'] . '" />') .
+         (empty($result['icon']) ? htmlspecialchars($result['title']) : '<img src="' . $result['icon'] . '" />') .
          '</a></span><span style="width:50%;font-style:italic;">' . $result['desc'] . '</span></li>';
 }
 echo '</ul>';
-- 
2.20.1