Skia has proposed merging lp:~hyask/errors/xss_2046565 into lp:errors. Requested reviews: Daisy Pluckers (daisy-pluckers) Related bugs: Bug #2046565 in Errors: "XSS in error message display function (problem-not-found)" https://bugs.launchpad.net/errors/+bug/2046565
For more details, see: https://code.launchpad.net/~hyask/errors/xss_2046565/+merge/471074 Fix bug 2046565 -- Your team Daisy Pluckers is requested to review the proposed merge of lp:~hyask/errors/xss_2046565 into lp:errors.
=== modified file 'errors/templates/main.html' --- errors/templates/main.html 2024-07-17 22:20:46 +0000 +++ errors/templates/main.html 2024-08-12 15:53:44 +0000 @@ -56,7 +56,7 @@ msg = 'That bug does not have a matching crash signature in ' + 'this database yet.'; } else if (qs['problem-not-found'] != undefined) { - msg = 'The problem \'' + qs['problem-not-found'] + + msg = 'The problem \'' + qs['problem-not-found'].replace(/[^a-fA-F0-9]/gim,'') + '\' could not be found.'; } if (msg != '') { === modified file 'errors/views.py' --- errors/views.py 2022-03-15 16:24:57 +0000 +++ errors/views.py 2024-08-12 15:53:44 +0000 @@ -32,7 +32,7 @@ return HttpResponseRedirect('/') if not cassie.bucket_exists(bucketid): - return HttpResponseRedirect('/?problem-not-found=' + bucketid) + return HttpResponseRedirect('/?problem-not-found=' + quote(bucketid)) traceback = cassie.get_traceback_for_bucket(bucketid) metadata = cassie.get_metadata_for_bucket(bucketid) @@ -151,5 +151,5 @@ else: bucketid = None if not bucketid: - return HttpResponseRedirect('/?problem-not-found=' + hashed) + return HttpResponseRedirect('/?problem-not-found=' + quote(hashed)) return bucket(request, bucketid, hashed)
-- Mailing list: https://launchpad.net/~canonical-ubuntu-qa Post to : canonical-ubuntu-qa@lists.launchpad.net Unsubscribe : https://launchpad.net/~canonical-ubuntu-qa More help : https://help.launchpad.net/ListHelp