archive/phabricator
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Fix a self-XSS hole in Diffusion

Browse Source 
Summary:
Via HackerOne. We aren't correctly escaping the date, so a user can XSS themselves by setting their date format creatively.

This construction is very unusual and I don't think we do anything similar elsewhere, so I can't come up with a systematic change which would prevent this in the general case.

Test Plan: Set date format to tag junk, got self-XSS before patch and proper escaping after the patch.

Reviewers: btrahan, chad

Reviewed By: chad

Subscribers: epriestley

Differential Revision: https://secure.phabricator.com/D12117
This commit is contained in:
epriestley
2015-03-20 14:54:35 -07:00
parent 80b8dc521d
commit ac029d0a50
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/applications/diffusion/controller/DiffusionLastModifiedController.php
View File

@@ -153,6 +153,12 @@ final class DiffusionLastModifiedController extends DiffusionController {
number_format($lint)); number_format($lint));
} }
// The client treats these results as markup, so make sure they have been
// escaped correctly.
foreach ($return as $key => $value) {
$return[$key] = hsprintf('%s', $value);
}
return $return; return $return;
} }