[sticky-notes] Fix XSS issue in username parameter at login page

athmane athmane at fedoraproject.org
Tue Jun 19 22:15:18 UTC 2012 

commit 44a3b2e9c7a62d8d05ec102ff120503a09bbd6c1
Author: Athmane Madjoudj <athmane at fedoraproject.org>
Date:   Tue Jun 19 23:14:53 2012 +0100

    Fix XSS issue in username parameter at login page

 sticky-notes-fix-login-username-xss.patch |   18 ++++++++++++++++++
 sticky-notes.spec                         |    9 ++++++++-
 2 files changed, 26 insertions(+), 1 deletions(-)
---
diff --git a/sticky-notes-fix-login-username-xss.patch b/sticky-notes-fix-login-username-xss.patch
new file mode 100644
index 0000000..2ce6b1f
--- /dev/null
+++ b/sticky-notes-fix-login-username-xss.patch
@@ -0,0 +1,18 @@
+--- admin/login.php.orig	2012-06-19 21:37:26.606807091 -0100
++++ admin/login.php	2012-06-19 21:38:29.380814750 -0100
+@@ -44,7 +44,7 @@
+     {
+         $banner_type = 'error';
+         $banner_visibility = 'visible';
+-        $banner_text = preg_replace('/\_\_user\_\_/', $username, $lang->get('invalid_login'));
++        $banner_text = preg_replace('/\_\_user\_\_/', htmlentities($username), $lang->get('invalid_login'));
+     }
+ }
+ 
+@@ -72,4 +72,4 @@
+ $skin->title($lang->get('admin_login') . ' &bull; ' . $lang->get('site_title'));
+ echo $skin->output(false, false, true);
+ 
+-?>
+\ No newline at end of file
++?>
diff --git a/sticky-notes.spec b/sticky-notes.spec
index 59f31a9..38d4be6 100644
--- a/sticky-notes.spec
+++ b/sticky-notes.spec
@@ -1,7 +1,7 @@
 Summary:	Sticky notes is a free and open source paste-bin application
 Name:		sticky-notes
 Version:	0.3.09062012.4
-Release:	4%{?dist}
+Release:	5%{?dist}
 License:	BSD
 Group:		Applications/Internet
 URL:		http://gitorious.org/sticky-notes	
@@ -13,6 +13,9 @@ URL:		http://gitorious.org/sticky-notes
 Source0:	sticky-notes-%{version}.tar.gz
 Source1:	sticky-notes-http-conf
 Patch0:		sticky-notes-unbundle-php-geshi.patch
+# Fix XSS issue in username parameter at login page
+# https://gitorious.org/sticky-notes/sticky-notes/merge_requests/2
+Patch1:		sticky-notes-fix-login-username-xss.patch
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
 BuildArch:	noarch
 Requires:	httpd
@@ -24,6 +27,7 @@ Sticky notes is a free and open source paste-bin application.
 %prep
 %setup -q -n sticky-notes
 %patch0 -p0
+%patch1 -p0
 %build
 
 %install
@@ -66,6 +70,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %doc VERSION
 
 %changelog
+* Tue Jun 19 2012 Athmane Madjoudj <athmane at fedoraproject.org> 0.3.09062012.4-5
+- Add a patch to fix XSS issue in username parameter at login page.
+
 * Thu Jun 14 2012 Athmane Madjoudj <athmane at fedoraproject.org> 0.3.09062012.4-4
 - Fix version number

More information about the scm-commits mailing list