Merge pull request #3 from calestyo/master

escape version string to prevent XSS for sure
2026-05-30 03:24:47 +00:00 · 2013-03-20 15:47:18 -07:00 · 2013-03-20 15:47:18 -07:00 · ba74446aa0
commit ba74446aa0
parent 4ef8dc9d53 5fccb302a8
3 changed files with 5 additions and 2 deletions
--- a/3
+++ b/3
@ -2,6 +2,9 @@
 	* Changed the end-of-line encodings of all non-Windows-related and 
 	  non-autogenerated text files to use UNIX LF (lots of them had mixed
 	  LF/CRLF).
+	* HTML escape the remotely retrieved version string printed to the HTML
+	  in order to prevent and attacks (if this would have been possible at
+	  all in 12 characters).

 2013-03-06  Andrew McMillan  <andrew@morphoss.com>
 	* Fix capitalisation of 'plpgsql' & 'sql' for Postgres 9.2. (debbug #702403)
--- a/debian/changelog
+++ b/debian/changelog
@ -1,6 +1,6 @@
 davical (1.1.2-1) unstable; urgency=low

-  * New upstream release (closes:#702403)
+  * New upstream release (closes:#702403, #703290)

 -- Andrew McMillan <awm@debian.org>  Wed, 06 Mar 2013 20:27:17 +1300

--- a/htdocs/setup.php
+++ b/htdocs/setup.php
@ -252,7 +252,7 @@ function check_davical_version() {
  $url = 'http://www.davical.org/current_davical_version?v='.$c->version_string;
  $version_file = @fopen($url, 'r');
  if ( ! $version_file ) return new CheckResult( false, translate("Could not retrieve") . " '$url'", 'dep_warning' );
-  $current_version = trim(fread( $version_file,12));
+  $current_version = htmlentities( trim(fread( $version_file,12)) );
  fclose($version_file);
  $result = new CheckResult($c->version_string == $current_version);
  if ( ! $result->getOK() ) {