Commit 340f0fc9 authored by Dave Cridland's avatar Dave Cridland

OF-836 CVE-2015-6972 MUC service description

The mucdesc parameter of muc-service-edit-form.jsp was reflected unescaped in
the summary view at muc-service-summary.jsp

This was reported by Florian Nivette of Sysdream.

Fixed by escaping on output within muc-service-summary.jsp.

In addition, domain validation was added on input.
parent b44bf488
......@@ -24,6 +24,7 @@
errorPage="error.jsp"
%>
<%@ page import="java.net.URLEncoder" %>
<%@ page import="org.xmpp.packet.JID" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
......@@ -66,6 +67,12 @@
// do validation
if (mucname == null || mucname.indexOf('.') >= 0 || mucname.length() < 1) {
errors.put("mucname","mucname");
} else {
try {
mucname = JID.domainprep(mucname);
} catch (Exception e) {
errors.put("mucname", e.getMessage());
}
}
if (errors.size() == 0) {
if (!create) {
......
......@@ -200,7 +200,7 @@
<a href="muc-service-edit-form.jsp?mucname=<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= StringUtils.escapeHTMLTags(JID.unescapeNode(service.getServiceName())) %></a>
</td>
<td width="33%">
<%= service.getDescription() %> &nbsp;
<%= StringUtils.escapeHTMLTags(service.getDescription()) %> &nbsp;
</td>
<td width="5%">
<a href="muc-room-summary.jsp?mucname==<%= URLEncoder.encode(service.getServiceName(), "UTF-8") %>"><%= service.getNumberChatRooms() %></a>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment