[1/2] templatetags: Do not mark output of msgid tag as safe

Message ID	20190705020703.6656-2-dja@axtens.net
State	Accepted
Headers	show Return-Path: <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org> From: Daniel Axtens <dja@axtens.net> To: patchwork@lists.ozlabs.org Subject: [PATCH 1/2] templatetags: Do not mark output of msgid tag as safe Date: Fri, 5 Jul 2019 12:07:02 +1000 Message-Id: <20190705020703.6656-2-dja@axtens.net> In-Reply-To: <20190705020703.6656-1-dja@axtens.net> References: <20190705020703.6656-1-dja@axtens.net> MIME-Version: 1.0 Precedence: list Cc: Andrew Donnellan <ajd@linux.ibm.com> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org Sender: "Patchwork" <patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>
Series	XSS in Patchwork - CVE-2019-13122 \| expand [0/2] XSS in Patchwork - CVE-2019-13122 [1/2] templatetags: Do not mark output of msgid tag as safe [2/2] tests: Add test for unescaped values in patch detail page

Message ID

20190705020703.6656-2-dja@axtens.net

State

Accepted

Headers

From: Daniel Axtens <dja@axtens.net>
To: patchwork@lists.ozlabs.org
Subject: [PATCH 1/2] templatetags: Do not mark output of msgid tag as safe
Date: Fri,  5 Jul 2019 12:07:02 +1000
Message-Id: <20190705020703.6656-2-dja@axtens.net>
In-Reply-To: <20190705020703.6656-1-dja@axtens.net>
References: <20190705020703.6656-1-dja@axtens.net>
MIME-Version: 1.0
Precedence: list
Cc: Andrew Donnellan <ajd@linux.ibm.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org
Sender: "Patchwork"
	<patchwork-bounces+incoming=patchwork.ozlabs.org@lists.ozlabs.org>

Series

XSS in Patchwork - CVE-2019-13122 | expand

Commit Message

Daniel Axtens July 5, 2019, 2:07 a.m. UTC

From: Andrew Donnellan <ajd@linux.ibm.com>

The msgid template tag exists to remove angle brackets from either side of
the Message-ID header.

It also marks its output as safe, meaning it does not get autoescaped by
Django templating.

Its output is not safe. A maliciously crafted email can include HTML tags
inside the Message-ID header, and as long as the angle brackets are not at
the start and end of the header, we will quite happily render them.

Rather than using mark_safe(), use escape() to explicitly escape the
Message-ID.

Signed-off-by: Andrew Donnellan <ajd@linux.ibm.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 patchwork/templatetags/patch.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/patchwork/templatetags/patch.py b/patchwork/templatetags/patch.py
index ea5a71de362f..757f873b6043 100644
--- a/patchwork/templatetags/patch.py
+++ b/patchwork/templatetags/patch.py
@@ -5,6 +5,7 @@ 
 # SPDX-License-Identifier: GPL-2.0-or-later
 
 from django import template
+from django.utils.html import escape
 from django.utils.safestring import mark_safe
 from django.template.defaultfilters import stringfilter
 
@@ -64,4 +65,4 @@  def patch_checks(patch):
 @register.filter
 @stringfilter
 def msgid(value):
-    return mark_safe(value.strip('<>'))
+    return escape(value.strip('<>'))