[mapproxy] 02/03: Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service. Fixes CVE-2017-1000426.
Bas Couwenberg
sebastic at debian.org
Sun Jan 7 08:54:58 UTC 2018
This is an automated email from the git hooks/post-receive script.
sebastic pushed a commit to branch stretch
in repository mapproxy.
commit 0dcbb58680acb37a3fdf425c26f42480480870da
Author: Bas Couwenberg <sebastic at xs4all.nl>
Date: Sun Jan 7 09:33:10 2018 +0100
Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service. Fixes CVE-2017-1000426.
---
debian/changelog | 2 +
.../0001-demo-escape-args-to-avoid-XSS.patch | 66 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 69 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index b77c528..83742a6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
mapproxy (1.9.0-3+deb9u1) UNRELEASED; urgency=medium
* Update branch in gbp.conf & Vcs-Git URL.
+ * Add upstream patch to fix Cross Site Scripting (XSS) issue in demo service.
+ Fixes CVE-2017-1000426.
-- Bas Couwenberg <sebastic at debian.org> Sun, 07 Jan 2018 09:31:30 +0100
diff --git a/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch b/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch
new file mode 100644
index 0000000..f2e8faf
--- /dev/null
+++ b/debian/patches/0001-demo-escape-args-to-avoid-XSS.patch
@@ -0,0 +1,66 @@
+Description: demo: escape args to avoid XSS
+ Fixes CVE-2017-1000426,
+Author: Oliver Tonnhofer <olt at bogosoft.com>
+Origin: https://github.com/mapproxy/mapproxy/commit/87faa667007b00ef11ee09b16707aa9ad2e8da28
+
+--- a/mapproxy/service/demo.py
++++ b/mapproxy/service/demo.py
+@@ -22,6 +22,7 @@ import os
+ import pkg_resources
+ import mimetypes
+ from collections import defaultdict
++from xml.sax.saxutils import escape
+
+ from mapproxy.config.config import base_config
+ from mapproxy.compat import PY2
+@@ -108,7 +109,10 @@ class DemoServer(Server):
+ demo = self._render_capabilities_template('demo/capabilities_demo.html', capabilities, 'WMTS', url)
+ elif 'tms_capabilities' in req.args:
+ if 'layer' in req.args and 'srs' in req.args:
+- url = '%s/tms/1.0.0/%s/%s'%(req.script_url, req.args['layer'], req.args['srs'])
++ # prevent dir traversal (seems it's not possible with urllib2, but better safe then sorry)
++ layer = req.args['layer'].replace('..', '')
++ srs = req.args['srs'].replace('..', '')
++ url = '%s/tms/1.0.0/%s/%s'%(req.script_url, layer, srs)
+ else:
+ url = '%s/tms/1.0.0/'%(req.script_url)
+ capabilities = urllib2.urlopen(url)
+@@ -171,14 +175,14 @@ class DemoServer(Server):
+ def _render_wms_template(self, template, req):
+ template = get_template(template, default_inherit="demo/static.html")
+ layer = self.layers[req.args['wms_layer']]
+- srs = req.args['srs']
++ srs = escape(req.args['srs'])
+ bbox = layer.extent.bbox_for(SRS(srs))
+ width = bbox[2] - bbox[0]
+ height = bbox[3] - bbox[1]
+ min_res = max(width/256, height/256)
+ return template.substitute(layer=layer,
+ image_formats=self.image_formats,
+- format=req.args['format'],
++ format=escape(req.args['format']),
+ srs=srs,
+ layer_srs=self.layer_srs,
+ bbox=bbox,
+@@ -202,8 +206,8 @@ class DemoServer(Server):
+ else:
+ add_res_to_options = False
+ return template.substitute(layer=tile_layer,
+- srs=req.args['srs'],
+- format=req.args['format'],
++ srs=escape(req.args['srs']),
++ format=escape(req.args['format']),
+ resolutions=res,
+ units=units,
+ add_res_to_options=add_res_to_options,
+@@ -223,8 +227,8 @@ class DemoServer(Server):
+ units = 'm'
+ return template.substitute(layer=wmts_layer,
+ matrix_set=wmts_layer.grid.name,
+- format=req.args['format'],
+- srs=req.args['srs'],
++ format=escape(req.args['format']),
++ srs=escape(req.args['srs']),
+ resolutions=wmts_layer.grid.resolutions,
+ units=units,
+ all_tile_layers=self.tile_layers,
diff --git a/debian/patches/series b/debian/patches/series
index 7ff43d8..7ce95c6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -2,3 +2,4 @@ offline-tests.patch
0001-use-dummy-access_contraints-to-clarify-license.patch
disable-tag_date.patch
configuration-typo.patch
+0001-demo-escape-args-to-avoid-XSS.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-grass/mapproxy.git
More information about the Pkg-grass-devel
mailing list