CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input

[Reed Loden <reed () reedloden com>]

Just received an announcement stating ViewVC 1.1.5 and 1.0.11 were
released today (right on the heels of 1.1.4 and 1.0.10, for which I
still haven't received a CVE). Looks like they fix an XSS that needs
a CVE assigned.

"security fix: escape user-provided search_re input to avoid XSS
attack"

http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342&r2=2359&pathrev=HEAD

Here's the patch for the XSS:
http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2344

"""
There were too many ways to do something as simple as HTML escaping in
the ViewVC codebase.  Simplify, conjoin, remove, etc.

* lib/sapi.py
  (escape): New function.  *The* preferred HTML-escaping mechanism.
  (Server.escape): New common Server object escape mechanism (which
    uses the aforementioned escape(), of course).
  (CgiServer.escape, WsgiServer.escape, AspServer.escape,
   ModPythonServer.escape): Lose as unnecessary.

* lib/viewvc.py
  (Request.get_form): Escape hidden form variable names and values.
  (htmlify): Remove.
  (): Replace all uses of cgi.escape() and htmlify() with (directly or
    indirectly) sapi.escape().
  
* lib/query.py
  (main): Use server.escape() instead of cgi.escape().

* lib/blame.py
  (HTMLBlameSource.__getitem__): Use sapi.escape() instead of
    cgi.escape().

* lib/idiff.py
  (_mdiff_split, _differ_split): Use sapi.escape() instead of
    cgi.escape().
"""

~reed

-- 
Reed Loden - <reed () reedloden com>

Attachment: _bin
Description: