dgit.raspbian.org Git - mercurial.git/commit

author	Debian Python Team <team+python@tracker.debian.org>
	Thu, 20 Mar 2025 12:56:44 +0000 (13:56 +0100)
committer	Julien Cristau <jcristau@debian.org>
	Thu, 20 Mar 2025 12:56:44 +0000 (13:56 +0100)
commit	5197688cebef882c527cb79bc18bef7f3bfb55e9
tree	d9c72cee772d534c0ee57f31bda5cb4604309482	tree \| snapshot
parent	82242d11f0a45430ca1501e98623360c9972af45	commit \| diff

CVE-2025-2361

# HG changeset patch
# User Raphaël Gomès <rgomes@octobus.net>
# Date 1742340720 -3600
# Wed Mar 19 00:32:00 2025 +0100
# Branch stable
# Node ID a5c72ed2929341d97b11968211c880854803f003
# Parent 74439d1cbebaa9ff8f8300e37e93b42e6d381be4
hgweb: fix XSS vulnerability in hgweb (CVE-2025-2361)

818598f5bc8b91 is the change that introduced the vulnerability (in 2006!)
that was disclosed to us, but I found a similar pattern in other places
in the code.

Since XSS escaping is actually hard and that would mean vendoring some
better sanitation tool, I decided to simply remove user input from any
HTML output in hgweb, hopefully in all places.

Gbp-Pq: Name CVE-2025-2361.patch

mercurial/hgweb/hgweb_mod.py		diff \| blob \| history
mercurial/hgweb/webcommands.py		diff \| blob \| history
tests/test-archive.t		diff \| blob \| history
tests/test-hgweb.t		diff \| blob \| history
tests/test-lfs-serve-access.t		diff \| blob \| history
tests/test-remotefilelog-http.t		diff \| blob \| history