Fix fix XSS issue in wsgi and cgi when handing url not found/404. issue2551035

rouilj · rouilj · commit a2edc3cba0b5 · 2019-03-22T18:16:11.000-04:00
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -100,6 +100,10 @@ Fixed:
   HTTP_X-REQUESTED-WITH to HTTP_X_REQUESTED_WITH. The last is
   correct. Also fix roundup-server to produce the latter form. (Patch
   by C�dric Krier, reviewed/applied John Rouillard.)
+- issue2551035 - fix XSS issue in wsgi and cgi when handing url not
+  found/404. Reported by hannob at
+  https://github.com/python/bugs.python.org/issues/34, issue opened by
+  JulienPalard.
 
 2018-07-13 1.6.0
 
diff --git a/frontends/roundup.cgi b/frontends/roundup.cgi
@@ -181,7 +181,7 @@ def main(out, err):
                 request.send_response(404)
                 request.send_header('Content-Type', 'text/html')
                 request.end_headers()
-                out.write(s2b('Not found: %s'%client.path))
+                out.write(s2b('Not found: %s'%cgi.escape(client.path)))
 
     else:
         from roundup.anypy import urllib_
diff --git a/roundup/cgi/wsgi_handler.py b/roundup/cgi/wsgi_handler.py
@@ -69,7 +69,7 @@ def __call__(self, environ, start_response):
             client.main()
         except roundup.cgi.client.NotFound:
             request.start_response([('Content-Type', 'text/html')], 404)
-            request.wfile.write(s2b('Not found: %s'%client.path))
+            request.wfile.write(s2b('Not found: %s'%cgi.escape(client.path)))
 
         # all body data has been written using wfile
         return []
