Permalink
Browse files

fateserver/history: escape untrusted data

Fixes Cross-Site Script with:

http://fate.ffmpeg.org/history.cgi?slot="><script>alert(1)</script>

or equivalent.

Signed-off-by: Timothy Gu <timothygu99@gmail.com>
  • Loading branch information...
TimothyGu authored and michaelni committed Mar 2, 2014
1 parent ee09887 commit f9325eed150d493c2b831c2da4e0a4ce7495e846
Showing with 4 additions and 1 deletion.
  1. +4 −1 history.cgi
View
@@ -20,11 +20,14 @@ use warnings;
use CGI qw/param/;
use FATE;
use Time::Zone;
use HTML::Entities;
my $slot = param 'slot';
my $slotdir = "$fatedir/$slot";
opendir D, $slotdir or fail "Slot $slot not found";
my $slot_escaped = encode_entities $slot;
opendir D, $slotdir or fail "Slot $slot_escaped not found";
my @reps = grep { /^[0-9]/ and -d "$slotdir/$_" } readdir D;
close D;

0 comments on commit f9325ee

Please sign in to comment.