Hi Steven,
thanks for the analysis and patch ... already pushed to master
lg
tobi
Today Steven Chamberlain wrote:
> Time specifiers supplied in the Navigator Graph page web form are used
> to construct filenames in the cache directory.
>
> Also on that page, or in error output, the URL of that graph is not
> properly escaped. Injection of some characters into HTML is possible,
> similar to CVE-2012-0790 but perhaps not enough to cause XSS.
>
> As a precaution, use the existing regex $xssBadRx to filter out
> unnecessary characters which fixes both issues. Doing this in
> parse_datetime conveniently covers all uses.
>
> diff --git a/lib/Smokeping.pm b/lib/Smokeping.pm
> index cec130a..babd658 100644
> --- a/lib/Smokeping.pm
> +++ b/lib/Smokeping.pm
> @@ -1029,12 +1029,13 @@ sub smokecol ($) {
> sub parse_datetime($){
> my $in = shift;
> for ($in){
> + $in =~ s/$xssBadRx/_/g;
> /^(\d+)$/ && do { my $value = $1; $value = time if $value > 2**32;
> return $value};
>
> /^\s*(\d{4})-(\d{1,2})-(\d{1,2})(?:\s+(\d{1,2}):(\d{2})(?::(\d{2}))?)?\s*$/
> &&
> return POSIX::mktime($6||0,$5||0,$4||0,$3,$2-1,$1-1900,0,0,-1);
> /^now$/ && return time;
> /([ -:a-z0-9]+)/ && return $1;
> };
> return time;
> }
>
>
--
Tobi Oetiker, OETIKER+PARTNER AG, Aarweg 15 CH-4600 Olten, Switzerland
http://it.oetiker.ch [email protected] ++41 62 775 9902 / sb: -9900
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]