Fossil SCM
Add taint confinement to unquoted inline variable expansion from Th_Render(). Improvements to the taint confinement error message.
Commit
d259be4017e38a679dc76466782d224a6ae03a9908f5b52607b71d77539b44c7
Parent
0499cc252eb36ba…
1 file changed
+7
-2
+7
-2
| --- src/th_main.c | ||
| +++ src/th_main.c | ||
| @@ -2983,11 +2983,16 @@ | ||
| 2983 | 2983 | } |
| 2984 | 2984 | rc = Th_GetVar(g.interp, (char*)zVar, nVar); |
| 2985 | 2985 | z += i+1+n; |
| 2986 | 2986 | i = 0; |
| 2987 | 2987 | zResult = (char*)Th_GetResult(g.interp, &n); |
| 2988 | - sendText(pOut,(char*)zResult, n, encode); | |
| 2988 | + if( !TH1_TAINTED(n) | |
| 2989 | + || encode | |
| 2990 | + || Th_ReportTaint(g.interp, "inline variable", zVar, nVar)==TH_OK | |
| 2991 | + ){ | |
| 2992 | + sendText(pOut,(char*)zResult, n, encode); | |
| 2993 | + } | |
| 2989 | 2994 | }else if( z[i]=='<' && isBeginScriptTag(&z[i]) ){ |
| 2990 | 2995 | sendText(pOut,z, i, 0); |
| 2991 | 2996 | z += i+5; |
| 2992 | 2997 | for(i=0; z[i] && (z[i]!='<' || !isEndScriptTag(&z[i])); i++){} |
| 2993 | 2998 | if( g.thTrace ){ |
| @@ -3086,11 +3091,11 @@ | ||
| 3086 | 3091 | zVulnType = "SQL-injection"; |
| 3087 | 3092 | }else{ |
| 3088 | 3093 | zVulnType = "XSS"; |
| 3089 | 3094 | } |
| 3090 | 3095 | nStr = TH1_LEN(nStr); |
| 3091 | - fossil_errorlog("possible %s vulnerability due to tainted TH1 %s: \"%.*s\"", | |
| 3096 | + fossil_errorlog("possible TH1 %s vulnerability due to tainted %s: \"%.*s\"", | |
| 3092 | 3097 | zVulnType, zWhere, nStr, zStr); |
| 3093 | 3098 | if( strcmp(zDisp,"log")==0 ){ |
| 3094 | 3099 | return 0; |
| 3095 | 3100 | } |
| 3096 | 3101 | if( strcmp(zDisp,"block")==0 ){ |
| 3097 | 3102 |
| --- src/th_main.c | |
| +++ src/th_main.c | |
| @@ -2983,11 +2983,16 @@ | |
| 2983 | } |
| 2984 | rc = Th_GetVar(g.interp, (char*)zVar, nVar); |
| 2985 | z += i+1+n; |
| 2986 | i = 0; |
| 2987 | zResult = (char*)Th_GetResult(g.interp, &n); |
| 2988 | sendText(pOut,(char*)zResult, n, encode); |
| 2989 | }else if( z[i]=='<' && isBeginScriptTag(&z[i]) ){ |
| 2990 | sendText(pOut,z, i, 0); |
| 2991 | z += i+5; |
| 2992 | for(i=0; z[i] && (z[i]!='<' || !isEndScriptTag(&z[i])); i++){} |
| 2993 | if( g.thTrace ){ |
| @@ -3086,11 +3091,11 @@ | |
| 3086 | zVulnType = "SQL-injection"; |
| 3087 | }else{ |
| 3088 | zVulnType = "XSS"; |
| 3089 | } |
| 3090 | nStr = TH1_LEN(nStr); |
| 3091 | fossil_errorlog("possible %s vulnerability due to tainted TH1 %s: \"%.*s\"", |
| 3092 | zVulnType, zWhere, nStr, zStr); |
| 3093 | if( strcmp(zDisp,"log")==0 ){ |
| 3094 | return 0; |
| 3095 | } |
| 3096 | if( strcmp(zDisp,"block")==0 ){ |
| 3097 |
| --- src/th_main.c | |
| +++ src/th_main.c | |
| @@ -2983,11 +2983,16 @@ | |
| 2983 | } |
| 2984 | rc = Th_GetVar(g.interp, (char*)zVar, nVar); |
| 2985 | z += i+1+n; |
| 2986 | i = 0; |
| 2987 | zResult = (char*)Th_GetResult(g.interp, &n); |
| 2988 | if( !TH1_TAINTED(n) |
| 2989 | || encode |
| 2990 | || Th_ReportTaint(g.interp, "inline variable", zVar, nVar)==TH_OK |
| 2991 | ){ |
| 2992 | sendText(pOut,(char*)zResult, n, encode); |
| 2993 | } |
| 2994 | }else if( z[i]=='<' && isBeginScriptTag(&z[i]) ){ |
| 2995 | sendText(pOut,z, i, 0); |
| 2996 | z += i+5; |
| 2997 | for(i=0; z[i] && (z[i]!='<' || !isEndScriptTag(&z[i])); i++){} |
| 2998 | if( g.thTrace ){ |
| @@ -3086,11 +3091,11 @@ | |
| 3091 | zVulnType = "SQL-injection"; |
| 3092 | }else{ |
| 3093 | zVulnType = "XSS"; |
| 3094 | } |
| 3095 | nStr = TH1_LEN(nStr); |
| 3096 | fossil_errorlog("possible TH1 %s vulnerability due to tainted %s: \"%.*s\"", |
| 3097 | zVulnType, zWhere, nStr, zStr); |
| 3098 | if( strcmp(zDisp,"log")==0 ){ |
| 3099 | return 0; |
| 3100 | } |
| 3101 | if( strcmp(zDisp,"block")==0 ){ |
| 3102 |