Fix another XSS with the "otk" parameter.

schlatterbeck · schlatterbeck · commit 50a007a4bf2f · 2012-02-07T14:39:02.000+01:00
Thanks to Jesse Ruderman for reporting.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -75,6 +75,8 @@ Fixed:
   the patch.
 - Fix override of TemplatingUtils in instance.py, thanks to Cheer Xiao
   for the patch.
+- Fix another XSS with the "otk" parameter, thanks to Jesse Ruderman for
+  reporting. (Ralf)
 
 
 2011-07-15: 1.4.19
diff --git a/doc/acknowledgements.txt b/doc/acknowledgements.txt
@@ -118,6 +118,7 @@ Bernhard Reiter,
 Roy Rapoport,
 John P. Rouillard,
 Luke Ross,
+Jesse Ruderman,
 Ollie Rutherfurd,
 Toby Sargeant,
 Giuseppe Scelsi,
diff --git a/roundup/backends/sessions_dbm.py b/roundup/backends/sessions_dbm.py
@@ -8,6 +8,7 @@
 
 import os, marshal, time
 
+from cgi import escape
 from roundup import hyperdb
 from roundup.i18n import _
 from roundup.anypy.dbm_ import anydbm, whichdb, key_in
@@ -64,7 +65,7 @@ def get(self, infoid, value, default=_marker):
             else:
                 if default != self._marker:
                     return default
-                raise KeyError('No such %s "%s"'%(self.name, infoid))
+                raise KeyError('No such %s "%s"'%(self.name, escape(infoid)))
             return values.get(value, None)
         finally:
             db.close()
@@ -77,7 +78,7 @@ def getall(self, infoid):
                 del d['__timestamp']
                 return d
             except KeyError:
-                raise KeyError('No such %s "%s"'%(self.name, infoid))
+                raise KeyError('No such %s "%s"'%(self.name, escape(infoid)))
         finally:
             db.close()
 
diff --git a/roundup/backends/sessions_rdbms.py b/roundup/backends/sessions_rdbms.py
@@ -7,6 +7,7 @@
 __docformat__ = 'restructuredtext'
 
 import os, time
+from cgi import escape
 
 class BasicDatabase:
     ''' Provide a nice encapsulation of an RDBMS table.
@@ -35,7 +36,7 @@ def get(self, infoid, value, default=_marker):
         if not res:
             if default != self._marker:
                 return default
-            raise KeyError('No such %s "%s"'%(self.name, infoid))
+            raise KeyError('No such %s "%s"'%(self.name, escape(infoid)))
         values = eval(res[0])
         return values.get(value, None)
 
@@ -45,7 +46,7 @@ def getall(self, infoid):
             n, n, self.db.arg), (infoid,))
         res = self.cursor.fetchone()
         if not res:
-            raise KeyError('No such %s "%s"'%(self.name, infoid))
+            raise KeyError('No such %s "%s"'%(self.name, escape (infoid)))
         return eval(res[0])
 
     def set(self, infoid, **newvalues):
