[php-nusoap] * Thu Sep 02 2010 David Nalley <david at gnsa.us> 0.9.5-1 - moved to version 0.9.5 to follow upstream -

David Nalley ke4qqq at fedoraproject.org
Fri Sep 3 03:02:56 UTC 2010 

commit ed7bc7778b2545f4371961447478456931bed940
Author: David Nalley <david at gnsa.us>
Date:   Thu Sep 2 23:02:43 2010 -0400

    * Thu Sep 02 2010 David Nalley <david at gnsa.us> 0.9.5-1
    - moved to version 0.9.5 to follow upstream
    - patched XSS security vulnerability (thanks to David Hicks <hickseydr at optusnet.com.au> from MantisBT community) BZ# 629585

 nusoap.xss.patch |   89 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 files changed, 89 insertions(+), 0 deletions(-)
---
diff --git a/nusoap.xss.patch b/nusoap.xss.patch
new file mode 100644
index 0000000..a03bf2e
--- /dev/null
+++ b/nusoap.xss.patch
@@ -0,0 +1,89 @@
+--- lib/class.wsdl.php	2010-04-26 16:38:08.000000000 -0400
++++ lib.new/class.wsdl.php	2010-09-02 22:27:53.963411943 -0400
+@@ -842,9 +842,9 @@
+ 		<body>
+ 		<div class=content>
+ 			<br><br>
+-			<div class=title>'.$this->serviceName.'</div>
++                        <div class=title>'.htmlentities($this->serviceName).'</div>
+ 			<div class=nav>
+-				<p>View the <a href="'.$PHP_SELF.'?wsdl">WSDL</a> for the service.
++                                <p>View the <a href="'.htmlentities($PHP_SELF).'?wsdl">WSDL</a> for the service.
+ 				Click on an operation name to view it&apos;s details.</p>
+ 				<ul>';
+ 				foreach($this->getOperations() as $op => $data){
+@@ -854,21 +854,21 @@
+ 				    <a href='#' onclick='popout()'><font color='#ffffff'>Close</font></a><br><br>";
+ 				    foreach($data as $donnie => $marie){ // loop through opdata
+ 						if($donnie == 'input' || $donnie == 'output'){ // show input/output data
+-						    $b .= "<font color='white'>".ucfirst($donnie).':</font><br>';
++						    $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).':</font><br>';
+ 						    foreach($marie as $captain => $tenille){ // loop through data
+ 								if($captain == 'parts'){ // loop thru parts
+-								    $b .= "&nbsp;&nbsp;$captain:<br>";
++								    $b .= "&nbsp;&nbsp;".htmlentities($captain).":<br>";
+ 					                //if(is_array($tenille)){
+ 								    	foreach($tenille as $joanie => $chachi){
+-											$b .= "&nbsp;&nbsp;&nbsp;&nbsp;$joanie: $chachi<br>";
++											$b .= "&nbsp;&nbsp;&nbsp;&nbsp;".htmlentities($joanie).": ".htmlentities($chachi)."<br>";
+ 								    	}
+ 					        		//}
+ 								} else {
+-								    $b .= "&nbsp;&nbsp;$captain: $tenille<br>";
++								    $b .= "&nbsp;&nbsp;".htmlentities($captain).": ".htmlentities($tenille)."<br>";
+ 								}
+ 						    }
+ 						} else {
+-						    $b .= "<font color='white'>".ucfirst($donnie).":</font> $marie<br>";
++						    $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).":</font> ".htmlentities($marie)."<br>";
+ 						}
+ 				    }
+ 					$b .= '</div>';
+@@ -1935,4 +1935,4 @@
+ 	} 
+ }
+ 
+-?>
+\ No newline at end of file
++?>
+--- lib/nusoap.php	2010-04-26 16:38:08.000000000 -0400
++++ lib.new/nusoap.php	2010-09-02 22:40:38.277661391 -0400
+@@ -5424,9 +5424,9 @@
+ 		<body>
+ 		<div class=content>
+ 			<br><br>
+-			<div class=title>'.$this->serviceName.'</div>
++                        <div class=title>'.htmlentities($this->serviceName).'</div>
+ 			<div class=nav>
+-				<p>View the <a href="'.$PHP_SELF.'?wsdl">WSDL</a> for the service.
++                                <p>View the <a href="'.htmlentities($PHP_SELF).'?wsdl">WSDL</a> for the service.
+ 				Click on an operation name to view it&apos;s details.</p>
+ 				<ul>';
+ 				foreach($this->getOperations() as $op => $data){
+@@ -5436,21 +5436,21 @@
+ 				    <a href='#' onclick='popout()'><font color='#ffffff'>Close</font></a><br><br>";
+ 				    foreach($data as $donnie => $marie){ // loop through opdata
+ 						if($donnie == 'input' || $donnie == 'output'){ // show input/output data
+-						    $b .= "<font color='white'>".ucfirst($donnie).':</font><br>';
++                                                  $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).':</font><br>';
+ 						    foreach($marie as $captain => $tenille){ // loop through data
+ 								if($captain == 'parts'){ // loop thru parts
+-								    $b .= "&nbsp;&nbsp;$captain:<br>";
++                                                                    $b .= "&nbsp;&nbsp;".htmlentities($captain).":<br>";
+ 					                //if(is_array($tenille)){
+ 								    	foreach($tenille as $joanie => $chachi){
+-											$b .= "&nbsp;&nbsp;&nbsp;&nbsp;$joanie: $chachi<br>";
++											$b .= "&nbsp;&nbsp;&nbsp;&nbsp;".htmlentities($joanie).": ".htmlentities($chachi)."<br>";
+ 								    	}
+ 					        		//}
+ 								} else {
+-								    $b .= "&nbsp;&nbsp;$captain: $tenille<br>";
++								    $b .= "&nbsp;&nbsp;".htmlentities($captain).": ".htmlentities($tenille)."<br>";
+ 								}
+ 						    }
+ 						} else {
+-						    $b .= "<font color='white'>".ucfirst($donnie).":</font> $marie<br>";
++						    $b .= "<font color='white'>".htmlentities(ucfirst($donnie)).":</font> ".htmlentities($marie)."<br>";
+ 						}
+ 				    }
+ 					$b .= '</div>';

More information about the scm-commits mailing list