Branch: refs/heads/lucene-search
Home: https://github.com/jenkinsci/lucene-search-plugin
Commit: 5f9fd00d83a5a73a7b9579e8139b3db3a9065ed2
https://github.com/jenkinsci/lucene-search-plugin/commit/5f9fd00d83a5a73a7b9579e8139b3db3a9065ed2
Author: tdraebing <thomas.draeb...@sap.com>
Date: 2022-12-01 (Thu, 01 Dec 2022)
Changed paths:
M
src/main/resources/org/jenkinsci/plugins/lucene/search/FreeTextSearch/search-results.jelly
Log Message:
-----------
Escape everything in search result screen
In the search results screen the query was displayed without escaping
it first. That allowed to inject arbitrary code like javascript.
This was possible because the feature of Jelly to escape everything
by default was disabled.
This fixes https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2812.
Commit: a15d30510ab8962ea8252081b56f808adbb3c6d6
https://github.com/jenkinsci/lucene-search-plugin/commit/a15d30510ab8962ea8252081b56f808adbb3c6d6
Author: Mark Chen <39845648+hma...@users.noreply.github.com>
Date: 2022-12-02 (Fri, 02 Dec 2022)
Changed paths:
M
src/main/resources/org/jenkinsci/plugins/lucene/search/FreeTextSearch/search-results.jelly
Log Message:
-----------
Merge pull request #56 from tdraebing/fix_CVE-2022-36922
Escape all templated text in search result screen [CVE-2022-36922]
Compare:
https://github.com/jenkinsci/lucene-search-plugin/compare/b56e0aba81a3...a15d30510ab8
--
You received this message because you are subscribed to the Google Groups
"Jenkins Commits" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-commits+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-commits/jenkinsci/lucene-search-plugin/push/refs/heads/lucene-search/b56e0a-a15d30%40github.com.
