~woffs/wcm

0988d0ca67c3d670846ba4785472fe0ec774a014 — Frank Doepper 2 years ago 2e3c418 master 20220105
fix possible XSS

https://www.openbugbounty.org/reports/2315738/

__prefix__ was substituted with decoded URL and could be hijacked with a
crafted query parameter. Now the urlencoded variant is used, the decoded
variant is only left to calculate the string size.
1 files changed, 4 insertions(+), 4 deletions(-)

M index.pl
M index.pl => index.pl +4 -4
@@ 4,9 4,9 @@
# http://woffs.de/WCM
# <wcm@woffs.de>
#
# Version 20140613
# Version 20220105
# 
# Copyright © 2010-2014 WofFS
# Copyright © 2010-2022 WofFS
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as


@@ 168,8 168,8 @@ $abs='http'.($https eq 'on' ? 's' : '').
        "://$host".($port == ($https eq 'on' ? 443 : 80) ? '' : ":$port");
if (my $ru=$ENV{REQUEST_URI}) {
  $ru=~s/%([0-9A-F]{2})/sprintf("%c",hex($1))/gei if $ru=~/%25/; # apache double urldecode
  $ru=~s/%([0-9A-F]{2})/sprintf("%c",hex($1))/gei; # urldecode
  $abs.=substr($ru,0,length($ru)-$clen);
  (my $dru=$ru)=~s/%([0-9A-F]{2})/sprintf("%c",hex($1))/gei;
  $abs.=substr($ru,0,length($dru)-$clen);
} else {
  $abs.=$ENV{'SCRIPT_NAME'} || '/index.pl';
}