From 0988d0ca67c3d670846ba4785472fe0ec774a014 Mon Sep 17 00:00:00 2001 From: Frank Doepper Date: Wed, 5 Jan 2022 14:41:31 +0100 Subject: [PATCH] fix possible XSS https://www.openbugbounty.org/reports/2315738/ __prefix__ was substituted with decoded URL and could be hijacked with a crafted query parameter. Now the urlencoded variant is used, the decoded variant is only left to calculate the string size. --- index.pl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/index.pl b/index.pl index 40deb84..e2d9ae8 100755 --- a/index.pl +++ b/index.pl @@ -4,9 +4,9 @@ # http://woffs.de/WCM # # -# Version 20140613 +# Version 20220105 # -# Copyright © 2010-2014 WofFS +# Copyright © 2010-2022 WofFS # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -168,8 +168,8 @@ $abs='http'.($https eq 'on' ? 's' : ''). "://$host".($port == ($https eq 'on' ? 443 : 80) ? '' : ":$port"); if (my $ru=$ENV{REQUEST_URI}) { $ru=~s/%([0-9A-F]{2})/sprintf("%c",hex($1))/gei if $ru=~/%25/; # apache double urldecode - $ru=~s/%([0-9A-F]{2})/sprintf("%c",hex($1))/gei; # urldecode - $abs.=substr($ru,0,length($ru)-$clen); + (my $dru=$ru)=~s/%([0-9A-F]{2})/sprintf("%c",hex($1))/gei; + $abs.=substr($ru,0,length($dru)-$clen); } else { $abs.=$ENV{'SCRIPT_NAME'} || '/index.pl'; } -- 2.45.2