[Git][debian-gis-team/mapproxy][master] 4 commits: New upstream version 1.11.1

Tue Aug 6 12:17:36 BST 2019


Bas Couwenberg pushed to branch master at Debian GIS Project / mapproxy


Commits:
c72ad076 by Bas Couwenberg at 2019-08-06T10:59:20Z
New upstream version 1.11.1
- - - - -
2192c164 by Bas Couwenberg at 2019-08-06T10:59:26Z
Update upstream source from tag 'upstream/1.11.1'

Update to upstream version '1.11.1'
with Debian dir cd051b67f64b4635a6204205a5529305d771b584
- - - - -
24111e28 by Bas Couwenberg at 2019-08-06T10:59:30Z
New upstream release.

Fixes XSS issue in demo service, see:
https://github.com/mapproxy/mapproxy/issues/322

- - - - -
2aec124a by Bas Couwenberg at 2019-08-06T11:00:41Z
Set distribution to unstable.

- - - - -


5 changed files:

- CHANGES.txt
- debian/changelog
- doc/conf.py
- mapproxy/service/demo.py
- setup.py


Changes:

=====================================
CHANGES.txt
=====================================
@@ -1,4 +1,16 @@
-1.11.0 2017-11-xx
+1.11.1 2019-08-06
+~~~~~~~~~~~~~~~~~
+
+Fixes:
+
+- Fix Cross Site Scripting (XSS) issue in demo service. Fix for #322 did not
+  properly escaped input used in JavaScript examples.
+
+  A targeted attack could be used for information disclosure. For
+  example: Session cookies of a third party application running on
+  the same domain.
+
+1.11.0 2017-11-20
 ~~~~~~~~~~~~~~~~~
 
 Improvements:


=====================================
debian/changelog
=====================================
@@ -1,3 +1,11 @@
+mapproxy (1.11.1-1) unstable; urgency=high
+
+  * New upstream release.
+    Fixes XSS issue in demo service, see:
+    https://github.com/mapproxy/mapproxy/issues/322
+
+ -- Bas Couwenberg <sebastic at debian.org>  Tue, 06 Aug 2019 13:00:23 +0200
+
 mapproxy (1.11.0-4) unstable; urgency=medium
 
   * Bump Standards-Version to 4.4.0, no changes.


=====================================
doc/conf.py
=====================================
@@ -51,7 +51,7 @@ copyright = u'Oliver Tonnhofer, Omniscale'
 # The short X.Y version.
 version = '1.11'
 # The full version, including alpha/beta/rc tags.
-release = '1.11.0'
+release = '1.11.1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.


=====================================
mapproxy/service/demo.py
=====================================
@@ -22,7 +22,6 @@ import os
 import pkg_resources
 import mimetypes
 from collections import defaultdict
-from xml.sax.saxutils import escape
 
 from mapproxy.config.config import base_config
 from mapproxy.compat import PY2
@@ -258,3 +257,15 @@ class DemoServer(Server):
                 return True
             return False
         return True
+
+
+def escape(data):
+    """
+    Escape user-provided input data for safe inclusion in HTML _and_ JS to prevent XSS.
+    """
+    data = data.replace('&', '&')
+    data = data.replace('>', '>')
+    data = data.replace('<', '<')
+    data = data.replace("'", '')
+    data = data.replace('"', '')
+    return data


=====================================
setup.py
=====================================
@@ -54,7 +54,7 @@ def long_description(changelog_releases=10):
 
 setup(
     name='MapProxy',
-    version="1.11.0",
+    version="1.11.1",
     description='An accelerating proxy for tile and web map services',
     long_description=long_description(7),
     author='Oliver Tonnhofer',



View it on GitLab: https://salsa.debian.org/debian-gis-team/mapproxy/compare/f48ed0efdce3435a92ecfbb78a322e6abf75a323...2aec124abb652847e663d7d7004193ccf1db9b3f

-- 
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapproxy/compare/f48ed0efdce3435a92ecfbb78a322e6abf75a323...2aec124abb652847e663d7d7004193ccf1db9b3f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20190806/4579e0d9/attachment-0001.html>
