issue2550711 Fix XSS vulnerability in @action parameter.

schlatterbeck · schlatterbeck · commit ea29de37416f · 2012-01-05T16:22:27.000+01:00
thanks to "om" for reporting.
Also fix issue number of previous change-entry.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -55,8 +55,10 @@ Fixed:
   backported version of my proposed changes to
   email.header.decode_header in http://bugs.python.org/issue1079
   (Ralf)
-- issue2550711 Fix XSS vulnerability when username contains HTML code,
+- issue2550684 Fix XSS vulnerability when username contains HTML code,
   thanks to Thomas Arendsen Hein for reporting and patch.
+- issue2550711 Fix XSS vulnerability in @action parameter,
+  thanks to "om" for reporting.
 
 
 2011-07-15: 1.4.19
diff --git a/doc/acknowledgements.txt b/doc/acknowledgements.txt
@@ -104,6 +104,7 @@ Stefan Niederhauser,
 Truls E. Næss,
 Bryce L Nordgren,
 Patrick Ohly,
+"om",
 Luke Opperman,
 Eddie Parker,
 Will Partain,
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -1171,7 +1171,7 @@ def get_action_class(self, action_name):
                 if name == action_name:
                     break
             else:
-                raise ValueError('No such action "%s"'%action_name)
+                raise ValueError('No such action "%s"'%cgi.escape(action_name))
         return action_klass
 
     def _socket_op(self, call, *args, **kwargs):
