Commit 340f0fc9 authored by Dave Cridland's avatar Dave Cridland

OF-836 CVE-2015-6972 MUC service description

The mucdesc parameter of muc-service-edit-form.jsp was reflected unescaped in
the summary view at muc-service-summary.jsp

This was reported by Florian Nivette of Sysdream.

Fixed by escaping on output within muc-service-summary.jsp.

In addition, domain validation was added on input.
parent b44bf488
...@@ -24,6 +24,7 @@ ...@@ -24,6 +24,7 @@
errorPage="error.jsp" errorPage="error.jsp"
%> %>
<%@ page import="java.net.URLEncoder" %> <%@ page import="java.net.URLEncoder" %>
<%@ page import="org.xmpp.packet.JID" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %> <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
...@@ -66,6 +67,12 @@ ...@@ -66,6 +67,12 @@
// do validation // do validation
if (mucname == null || mucname.indexOf('.') >= 0 || mucname.length() < 1) { if (mucname == null || mucname.indexOf('.') >= 0 || mucname.length() < 1) {
errors.put("mucname","mucname"); errors.put("mucname","mucname");
} else {
try {
mucname = JID.domainprep(mucname);
} catch (Exception e) {
errors.put("mucname", e.getMessage());
}
} }
if (errors.size() == 0) { if (errors.size() == 0) {
if (!create) { if (!create) {
......
...@@ -200,7 +200,7 @@ ...@@ -200,7 +200,7 @@
<a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(service.getServiceName())) %></a> <a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(service.getServiceName())) %></a>
</td> </td>
<td width="33%"> <td width="33%">
<%= service.getDescription() %> &nbsp; <%= StringUtils.escapeHTMLTags(service.getDescription()) %> &nbsp;
</td> </td>
<td width="5%"> <td width="5%">
<a href="muc-room-summary.jsp?mucname==<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= service.getNumberChatRooms() %></a> <a href="muc-room-summary.jsp?mucname==<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= service.getNumberChatRooms() %></a>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment