tags 439337 patch
thanks

Hi

Attached you will find my NMU proposal for this bug.
Please give some feedback, if you agree/dissagree with that patch. Maybe you 
want to do a MU for that, which would of course be great. If you do not have 
the time for that, I would also appreciate to get your approval for the NMU.
In any case, a small feedback would be great :)
Thanks for your efforts.

Cheers
Steffen
diff -u websvn-1.61/debian/patches/series websvn-1.61/debian/patches/series
--- websvn-1.61/debian/patches/series
+++ websvn-1.61/debian/patches/series
@@ -3,0 +4 @@
+CVE-2007-3056.diff
diff -u websvn-1.61/debian/changelog websvn-1.61/debian/changelog
--- websvn-1.61/debian/changelog
+++ websvn-1.61/debian/changelog
@@ -1,3 +1,12 @@
+websvn (1.61-22.2) unstable; urgency=high
+
+  * Non-maintainer upload by the testing-security team
+  * Include CVE-2007-3056.diff to fix Cross-site scripting (XSS)
+    vulnerability in filedetails.php (Closes: #439337)
+    Fixes: CVE-2007-3056
+
+ -- Steffen Joeris <[EMAIL PROTECTED]>  Mon, 03 Sep 2007 13:46:20 +0000
+
 websvn (1.61-22.1) unstable; urgency=high
 
   * Non-maintainer upload during BSP.
only in patch2:
unchanged:
--- websvn-1.61.orig/debian/patches/CVE-2007-3056.diff
+++ websvn-1.61/debian/patches/CVE-2007-3056.diff
@@ -0,0 +1,22 @@
+--- filedetails.php.orig	2007-09-03 13:44:37.000000000 +0000
++++ websvn-1.61/filedetails.php	2007-09-03 13:45:29.000000000 +0000
+@@ -127,9 +127,9 @@
+    $vars["goyoungestlink"] = "";
+ 
+ $vars["action"] = "";
+-$vars["repname"] = $rep->name;
+-$vars["rev"] = $rev;
+-$vars["path"] = $ppath;
++$vars["repname"] = htmlentities($rep->getDisplayName(), ENT_QUOTES, 'UTF-8');
++$vars["rev"] = htmlentities($rev, ENT_QUOTES, 'UTF-8');
++$vars["path"] = htmlentities($ppath, ENT_QUOTES, 'UTF-8');
+ 
+ createDirLinks($rep, $ppath, $passrev, $showchanged);
+ 
+@@ -145,4 +145,4 @@
+ parseTemplate($config->templatePath."header.tmpl", $vars, $listing);
+ parseTemplate($config->templatePath."file.tmpl", $vars, $listing);
+ parseTemplate($config->templatePath."footer.tmpl", $vars, $listing);
+-?>
+\ No newline at end of file
++?>

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to