dgit.raspbian.org Git - mercurial.git/commit

CVE-2025-2361

# HG changeset patch
# User Raphaël Gomès <rgomes@octobus.net>
# Date 1742340720 -3600
# Wed Mar 19 00:32:00 2025 +0100
# Branch stable
# Node ID a5c72ed2929341d97b11968211c880854803f003
# Parent 74439d1cbebaa9ff8f8300e37e93b42e6d381be4
hgweb: fix XSS vulnerability in hgweb (CVE-2025-2361)

818598f5bc8b91 is the change that introduced the vulnerability (in 2006!)
that was disclosed to us, but I found a similar pattern in other places
in the code.

Since XSS escaping is actually hard and that would mean vendoring some
better sanitation tool, I decided to simply remove user input from any
HTML output in hgweb, hopefully in all places.

Gbp-Pq: Name CVE-2025-2361.patch

author	Debian Python Team <team+python@tracker.debian.org>
	Thu, 27 Mar 2025 18:23:02 +0000 (19:23 +0100)
committer	Andreas Henriksson <andreas@fatal.se>
	Thu, 27 Mar 2025 18:23:02 +0000 (19:23 +0100)
commit	7625eac5c55dac9f64fc9a8d20df23b0b569f0d9
tree	ee038209b175306b6c9f9a79366acb1cb373aa6b	tree \| snapshot
parent	0512216b19a2ca6606a34c2692a0acae9041e4cb	commit \| diff

mercurial/hgweb/hgweb_mod.py		diff \| blob \| history
mercurial/hgweb/webcommands.py		diff \| blob \| history
tests/test-archive.t		diff \| blob \| history
tests/test-hgweb.t		diff \| blob \| history
tests/test-http-api.t		diff \| blob \| history
tests/test-lfs-serve-access.t		diff \| blob \| history
tests/test-remotefilelog-http.t		diff \| blob \| history