Session: encode HTML entities in error

Without this, it's possible to self-XSS by trying to set a session id to something like `</script><svg/onload='alert("xss")'>`.
perl-catalyst · Dec 6, 2018 · 88d1b59 · 88d1b59
1 parent 2790acd
commit 88d1b59
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/lib/Catalyst/Plugin/Session.pm b/lib/Catalyst/Plugin/Session.pm
@@ -9,6 +9,7 @@ use Catalyst::Exception ();
 use Digest              ();
 use overload            ();
 use Object::Signature   ();
+use HTML::Entities      ();
 use Carp;
 use List::Util qw/ max /;
 
@@ -480,6 +481,7 @@ sub _load_sessionid {
             $c->_sessionid($sid);
             return $sid;
         } else {
+            $sid = HTML::Entities::encode_entities($sid);
             my $err = "Tried to set invalid session ID '$sid'";
             $c->log->error($err);
             Catalyst::Exception->throw($err);