webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

clwarn.cgi: Remove XSS

Browse Source 
Fixes: #12966
Fixes: CVE-2022-44392
Reported-by: Arthur Naullet <arthur.naullet@epita.fr>
Reported-by: Rafael Lima <isec-researcher@protonmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer
2022-10-24 15:57:56 +01:00
parent c847846c4c
commit 2a0d7a03d7
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
html/html/clwarn.cgi
View File

@@ -20,6 +20,7 @@
###############################################################################
use CGI qw(param);
use HTML::Entities();
# enable only the following on debugging purpose
use warnings;
@@ -30,11 +31,11 @@ $swroot="/var/ipfire";
my $TITLE_VIRUS = "SquidClamAv Virus detection";
my $url = param('url') || '';
my $virus = param('virus') || '';
my $source = param('source') || '';
my $url = &HTML::Entities::encode_entities(param('url') || '');
my $virus = &HTML::Entities::encode_entities(param('virus') || '');
my $source = &HTML::Entities::encode_entities(param('source') || '');
$source =~ s/\/-//;
my $user = param('user') || '';
my $user = &HTML::Entities::encode_entities(param('user') || '');
# Remove clamd infos