[Git][debian-gis-team/mapproxy][upstream] New upstream version 1.11.1

[Bas Couwenberg]

Bas Couwenberg pushed to branch upstream at Debian GIS Project / mapproxy


Commits:
c72ad076 by Bas Couwenberg at 2019-08-06T10:59:20Z
New upstream version 1.11.1
- - - - -


4 changed files:

- CHANGES.txt
- doc/conf.py
- mapproxy/service/demo.py
- setup.py


Changes:

=====================================
CHANGES.txt
=====================================
@@ -1,4 +1,16 @@
-1.11.0 2017-11-xx
+1.11.1 2019-08-06
+~~~~~~~~~~~~~~~~~
+
+Fixes:
+
+- Fix Cross Site Scripting (XSS) issue in demo service. Fix for #322 did not
+  properly escaped input used in JavaScript examples.
+
+  A targeted attack could be used for information disclosure. For
+  example: Session cookies of a third party application running on
+  the same domain.
+
+1.11.0 2017-11-20
 ~~~~~~~~~~~~~~~~~
 
 Improvements:


=====================================
doc/conf.py
=====================================
@@ -51,7 +51,7 @@ copyright = u'Oliver Tonnhofer, Omniscale'
 # The short X.Y version.
 version = '1.11'
 # The full version, including alpha/beta/rc tags.
-release = '1.11.0'
+release = '1.11.1'
 
 # The language for content autogenerated by Sphinx. Refer to documentation
 # for a list of supported languages.


=====================================
mapproxy/service/demo.py
=====================================
@@ -22,7 +22,6 @@ import os
 import pkg_resources
 import mimetypes
 from collections import defaultdict
-from xml.sax.saxutils import escape
 
 from mapproxy.config.config import base_config
 from mapproxy.compat import PY2
@@ -258,3 +257,15 @@ class DemoServer(Server):
                 return True
             return False
         return True
+
+
+def escape(data):
+    """
+    Escape user-provided input data for safe inclusion in HTML _and_ JS to prevent XSS.
+    """
+    data = data.replace('&', '&')
+    data = data.replace('>', '>')
+    data = data.replace('<', '<')
+    data = data.replace("'", '')
+    data = data.replace('"', '')
+    return data


=====================================
setup.py
=====================================
@@ -54,7 +54,7 @@ def long_description(changelog_releases=10):
 
 setup(
     name='MapProxy',
-    version="1.11.0",
+    version="1.11.1",
     description='An accelerating proxy for tile and web map services',
     long_description=long_description(7),
     author='Oliver Tonnhofer',



View it on GitLab: https://salsa.debian.org/debian-gis-team/mapproxy/commit/c72ad076a9728b6492ee9b60bd1d1e49ba9e805e

-- 
View it on GitLab: https://salsa.debian.org/debian-gis-team/mapproxy/commit/c72ad076a9728b6492ee9b60bd1d1e49ba9e805e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-grass-devel/attachments/20190806/6e82f641/attachment-0001.html>