diff -Nru loggerhead-1.17+bzr424/debian/changelog loggerhead-1.17+bzr424/debian/changelog --- loggerhead-1.17+bzr424/debian/changelog 2010-09-09 10:25:32.000000000 +1000 +++ loggerhead-1.17+bzr424/debian/changelog 2011-03-24 13:26:23.000000000 +1100 @@ -1,3 +1,12 @@ +loggerhead (1.17+bzr424-1ubuntu1.1) maverick-security; urgency=low + + * SECURITY UPDATE: Cross-site scripting vulnerabilities by crafted branch + contents. (LP: #740142) + - debian/patches/bug-740142.diff: improve escaping of filenames. + - CVE-2011-0728 + + -- William Grant Thu, 24 Mar 2011 13:20:04 +1100 + loggerhead (1.17+bzr424-1ubuntu1) maverick; urgency=low * debian/control: Recommend python-pygments to support diff -Nru loggerhead-1.17+bzr424/debian/patches/bug-740142.diff loggerhead-1.17+bzr424/debian/patches/bug-740142.diff --- loggerhead-1.17+bzr424/debian/patches/bug-740142.diff 1970-01-01 10:00:00.000000000 +1000 +++ loggerhead-1.17+bzr424/debian/patches/bug-740142.diff 2011-03-24 13:54:44.000000000 +1100 @@ -0,0 +1,204 @@ +Description: Fix for bug #740142 (CVE-2011-0728) + Changes backported from lp:~wgrant/loggerhead/1.18-bug-740142. +Bug: https://launchpad.net/bugs/740142 +Author: William Grant + +Index: maverick-740142/loggerhead/controllers/annotate_ui.py +=================================================================== +--- maverick-740142.orig/loggerhead/controllers/annotate_ui.py 2011-03-24 13:17:03.356466876 +1100 ++++ maverick-740142/loggerhead/controllers/annotate_ui.py 2011-03-24 13:17:08.323149000 +1100 +@@ -17,7 +17,6 @@ + # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + # + +-import cgi + import os + import time + +@@ -71,7 +70,7 @@ + hl_lines = highlight(file_name, file_text, encoding) + hl_lines.extend([u''] * (len(file_lines) - len(hl_lines))) + else: +- hl_lines = map(cgi.escape, file_lines) ++ hl_lines = map(util.html_escape, file_lines) + + change_cache = {} + +Index: maverick-740142/loggerhead/templatefunctions.py +=================================================================== +--- maverick-740142.orig/loggerhead/templatefunctions.py 2011-03-24 13:17:03.456465146 +1100 ++++ maverick-740142/loggerhead/templatefunctions.py 2011-03-24 13:17:08.323149000 +1100 +@@ -14,8 +14,8 @@ + # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + # + +-import cgi + import os ++import urllib + + import pkg_resources + +@@ -23,6 +23,7 @@ + + import loggerhead + from loggerhead.zptsupport import zpt ++from loggerhead.util import html_format + + + templatefunctions = {} +@@ -49,16 +50,21 @@ + if style == 'fragment': + def file_link(filename): + if currently_showing and filename == currently_showing: +- return '%s' % ( +- cgi.escape(filename), cgi.escape(filename)) ++ return html_format( ++ '%s', ++ urllib.quote(filename.encode('utf-8')), filename) + else: + return revision_link( +- url, entry.revno, filename, '#' + filename) ++ url, entry.revno, filename, ++ '#' + urllib.quote(filename.encode('utf-8'))) + else: + def file_link(filename): +- return '%s' % ( +- url(['/revision', entry.revno]), '#' + filename, cgi.escape(filename), +- cgi.escape(entry.revno), cgi.escape(filename)) ++ return html_format( ++ '' ++ '%s', ++ url(['/revision', entry.revno]), ++ '#' + urllib.quote(filename.encode('utf-8')), ++ filename, entry.revno, filename) + return _pt('revisionfilechanges').expand( + entry=entry, file_changes=file_changes, file_link=file_link, **templatefunctions) + +@@ -122,14 +128,15 @@ + + @templatefunc + def annotate_link(url, revno, path): +- return '%s' % ( +- url(['/annotate', revno, path]), cgi.escape(path), cgi.escape(path)) ++ return html_format( ++ '%s', ++ url(['/annotate', revno, path]), path, path) + + @templatefunc + def revision_link(url, revno, path, frag=''): +- return '%s' % ( +- url(['/revision', revno, path]), frag, cgi.escape(path), +- cgi.escape(revno), cgi.escape(path)) ++ return html_format( ++ '%s', ++ url(['/revision', revno, path]), frag, path, revno, path) + + + @templatefunc +Index: maverick-740142/loggerhead/tests/test_simple.py +=================================================================== +--- maverick-740142.orig/loggerhead/tests/test_simple.py 2011-03-24 13:17:03.496464451 +1100 ++++ maverick-740142/loggerhead/tests/test_simple.py 2011-03-24 13:54:40.058662455 +1100 +@@ -61,9 +61,11 @@ + + self.filecontents = ('some\nmultiline\ndata\n' + 'with", ">"), ++ ("<", "<"), ++ ] ++ ++ ++def html_escape(s): ++ """Transform dangerous (X)HTML characters into entities. ++ ++ Like cgi.escape, except also escaping " and '. This makes it safe to use ++ in both attribute and element content. ++ ++ If you want to safely fill a format string with escaped values, use ++ html_format instead ++ """ ++ for char, repl in html_entity_subs: ++ s = s.replace(char, repl) ++ return s ++ + ++def html_format(template, *args): ++ """Safely format an HTML template string, escaping the arguments. ++ ++ The template string must not be user-controlled; it will not be escaped. ++ """ ++ return template % tuple(html_escape(arg) for arg in args) ++ ++ ++# FIXME: get rid of this method; use fixed_width() and avoid XML(). + + def html_clean(s): + """ +@@ -223,7 +253,7 @@ + entities, and replace spaces with ' '. this is primarily for use + in displaying monospace text. + """ +- s = cgi.escape(s.expandtabs()) ++ s = html_escape(s.expandtabs()) + s = s.replace(' ', ' ') + return s + +@@ -269,7 +299,7 @@ + except UnicodeDecodeError: + s = s.decode('iso-8859-15') + +- s = cgi.escape(s).expandtabs().replace(' ', NONBREAKING_SPACE) ++ s = html_escape(s).expandtabs().replace(' ', NONBREAKING_SPACE) + + return HSC.clean(s).replace('\n', '
') + diff -Nru loggerhead-1.17+bzr424/debian/patches/series loggerhead-1.17+bzr424/debian/patches/series --- loggerhead-1.17+bzr424/debian/patches/series 2010-09-09 10:23:57.000000000 +1000 +++ loggerhead-1.17+bzr424/debian/patches/series 2011-03-24 13:16:06.000000000 +1100 @@ -1 +1,2 @@ debian-changes-1.17+bzr424-1 +bug-740142.diff