diff options
author | Eric Hameleers <alien@slackware.com> | 2013-04-11 10:55:20 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2013-04-11 10:55:20 +0000 |
commit | a025aa2a8858a8f23f3c993a51f8b97b7d6ee367 (patch) | |
tree | 8a209790fa5d65cd7327560fc3dc9bb0922a775f /vlc | |
parent | ac5cf82249150b01dd6d64ed3c13bb5654a82898 (diff) | |
download | asb-a025aa2a8858a8f23f3c993a51f8b97b7d6ee367.tar.gz asb-a025aa2a8858a8f23f3c993a51f8b97b7d6ee367.tar.xz |
Initial revision
Diffstat (limited to 'vlc')
-rw-r--r-- | vlc/build/vlc-2.0.6_xss_vulns.patch | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/vlc/build/vlc-2.0.6_xss_vulns.patch b/vlc/build/vlc-2.0.6_xss_vulns.patch new file mode 100644 index 00000000..515b7ddd --- /dev/null +++ b/vlc/build/vlc-2.0.6_xss_vulns.patch @@ -0,0 +1,39 @@ +From: Ludovic Fauvet <etix@videolan.org> +Date: Mon, 8 Apr 2013 12:10:50 +0000 (+0200) +Subject: lua http: fix two xss vulnerabilities +X-Git-Url: http://git.videolan.org/?p=vlc%2Fvlc-2.0.git;a=commitdiff_plain;h=d8b8b9c90113cb19d592bd2d6a7e94b4ea85f610 + +lua http: fix two xss vulnerabilities +(cherry picked from commit bf02b8dd211d5a52aa301a9a2ff4e73ed8195881) + +Signed-off-by: Jean-Baptiste Kempf <jb@videolan.org> +--- + +diff --git a/share/lua/http/requests/vlm_cmd.xml b/share/lua/http/requests/vlm_cmd.xml +index 2e49db3..10a9a4a 100644 +--- a/share/lua/http/requests/vlm_cmd.xml ++++ b/share/lua/http/requests/vlm_cmd.xml +@@ -27,7 +27,7 @@ + if _GET["command"] then + local msg = vlm:execute_command(_GET["command"]) + if msg.value then +- print(msg.name,":",msg.value) ++ print(msg.name,":",vlc.strings.convert_xml_special_chars(msg.value)) + end + else + ?>No command<?vlc +diff --git a/share/lua/intf/http.lua b/share/lua/intf/http.lua +index 9d3e7ed..ccc3b23 100644 +--- a/share/lua/intf/http.lua ++++ b/share/lua/intf/http.lua +@@ -107,7 +107,8 @@ function callback_error(path,url,msg) + <title>Error loading ]]..url..[[</title> + </head> + <body> +-<h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information." or tostring(msg))..[[</pre> ++<h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information." ++or vlc.strings.convert_xml_special_chars(tostring(msg)))..[[</pre> + <p> + <a href="http://www.videolan.org/">VideoLAN</a><br/> + <a href="http://www.lua.org/manual/5.1/">Lua 5.1 Reference Manual</a> + |