From 5fccb302a8f326ebab1ae6b4d9599e4ff426b828 Mon Sep 17 00:00:00 2001
From: Christoph Anton Mitterer <mail@christoph.anton.mitterer.name>
Date: Wed, 20 Mar 2013 23:41:43 +0100
Subject: [PATCH] escape version string to prevent XSS for sure

* HTML escape the remotely retrieved version string printed to the HTML in order
  to prevent and attacks (if this would have been possible at all in 12
  characters).

The version string read from the davical.org webserver might be changed by an
attacker in order to perform XSS.
Even though this is highly unlikley (there are only 12 characters used) it's
better to HTML escape any such string that is printed to HTML.

This was originally reported at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=703290
---
 ChangeLog        | 3 +++
 debian/changelog | 2 +-
 htdocs/setup.php | 2 +-
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index ed20829b..9488f8d9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,9 @@
 	* Changed the end-of-line encodings of all non-Windows-related and 
 	  non-autogenerated text files to use UNIX LF (lots of them had mixed
 	  LF/CRLF).
+	* HTML escape the remotely retrieved version string printed to the HTML
+	  in order to prevent and attacks (if this would have been possible at
+	  all in 12 characters).
 
 2013-03-06  Andrew McMillan  <andrew@morphoss.com>
 	* Fix capitalisation of 'plpgsql' & 'sql' for Postgres 9.2. (debbug #702403)
diff --git a/debian/changelog b/debian/changelog
index 647037c5..d1b201b0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,6 @@
 davical (1.1.2-1) unstable; urgency=low
 
-  * New upstream release (closes:#702403)
+  * New upstream release (closes:#702403, #703290)
 
  -- Andrew McMillan <awm@debian.org>  Wed, 06 Mar 2013 20:27:17 +1300
 
diff --git a/htdocs/setup.php b/htdocs/setup.php
index 54345f39..ac43670c 100644
--- a/htdocs/setup.php
+++ b/htdocs/setup.php
@@ -252,7 +252,7 @@ function check_davical_version() {
   $url = 'http://www.davical.org/current_davical_version?v='.$c->version_string;
   $version_file = @fopen($url, 'r');
   if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' );
-  $current_version = trim(fread( $version_file,12));
+  $current_version = htmlentities( trim(fread( $version_file,12)) );
   fclose($version_file);
   $result = new CheckResult($c->version_string == $current_version);
   if ( ! $result->getOK() ) {