issue2550711 Fix XSS vulnerability in @action parameter.

thanks to "om" for reporting. Also fix issue number of previous change-entry.
roundup-tracker · Jan 5, 2012 · ea29de3 · ea29de3
1 parent 38193cc
commit ea29de3
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 2 deletions.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -55,8 +55,10 @@ Fixed:
   backported version of my proposed changes to
   email.header.decode_header in http://bugs.python.org/issue1079
   (Ralf)
-- issue2550711 Fix XSS vulnerability when username contains HTML code,
+- issue2550684 Fix XSS vulnerability when username contains HTML code,
   thanks to Thomas Arendsen Hein for reporting and patch.
+- issue2550711 Fix XSS vulnerability in @action parameter,
+  thanks to "om" for reporting.
 
 
 2011-07-15: 1.4.19

diff --git a/doc/acknowledgements.txt b/doc/acknowledgements.txt
@@ -104,6 +104,7 @@ Stefan Niederhauser,
 Truls E. Næss,
 Bryce L Nordgren,
 Patrick Ohly,
+"om",
 Luke Opperman,
 Eddie Parker,
 Will Partain,

diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1171,7 +1171,7 @@ def get_action_class(self, action_name):
                 if name == action_name:
                     break
             else:
-                raise ValueError('No such action "%s"'%action_name)
+                raise ValueError('No such action "%s"'%cgi.escape(action_name))
         return action_klass
 
     def _socket_op(self, call, *args, **kwargs):