Skia has proposed merging lp:~hyask/errors/xss_2046565 into lp:errors.
Requested reviews:
Daisy Pluckers (daisy-pluckers)
Related bugs:
Bug #2046565 in Errors: "XSS in error message display function
(problem-not-found)"
https://bugs.launchpad.net/errors/+bug/2046565
For more details, see:
https://code.launchpad.net/~hyask/errors/xss_2046565/+merge/471074
Fix bug 2046565
--
Your team Daisy Pluckers is requested to review the proposed merge of
lp:~hyask/errors/xss_2046565 into lp:errors.
=== modified file 'errors/templates/main.html'
--- errors/templates/main.html 2024-07-17 22:20:46 +0000
+++ errors/templates/main.html 2024-08-12 15:53:44 +0000
@@ -56,7 +56,7 @@
msg = 'That bug does not have a matching crash signature in ' +
'this database yet.';
} else if (qs['problem-not-found'] != undefined) {
- msg = 'The problem \'' + qs['problem-not-found'] +
+ msg = 'The problem \'' + qs['problem-not-found'].replace(/[^a-fA-F0-9]/gim,'') +
'\' could not be found.';
}
if (msg != '') {
=== modified file 'errors/views.py'
--- errors/views.py 2022-03-15 16:24:57 +0000
+++ errors/views.py 2024-08-12 15:53:44 +0000
@@ -32,7 +32,7 @@
return HttpResponseRedirect('/')
if not cassie.bucket_exists(bucketid):
- return HttpResponseRedirect('/?problem-not-found=' + bucketid)
+ return HttpResponseRedirect('/?problem-not-found=' + quote(bucketid))
traceback = cassie.get_traceback_for_bucket(bucketid)
metadata = cassie.get_metadata_for_bucket(bucketid)
@@ -151,5 +151,5 @@
else:
bucketid = None
if not bucketid:
- return HttpResponseRedirect('/?problem-not-found=' + hashed)
+ return HttpResponseRedirect('/?problem-not-found=' + quote(hashed))
return bucket(request, bucketid, hashed)
--
Mailing list: https://launchpad.net/~canonical-ubuntu-qa
Post to : canonical-ubuntu-qa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~canonical-ubuntu-qa
More help : https://help.launchpad.net/ListHelp
