Kallithea issues archive

Issue #76: HTML injections in file browser

Reported by: 557058%3Adea91e4c-e257-42be-bc28-2cf352c368c8
State: resolved
Created on: 2015-01-14 16:10
Updated on: 2015-01-22 10:36

Description

It is possible to inject HTML code by creating files with special names:

2015-01-14-170504_101x127_scrot.png

        <a class="browser-dir ypjax-link" href="/andrewsh-test/files/31d422b9e65a409dbee17bfe574cb9800ab91a07/%26middot%3B"><i class="icon-folder-open"></i><span>&middot;</span></a>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                </tr>
                <tr class="parity1">
                     <td>




        <a class="browser-dir ypjax-link" href="/andrewsh-test/files/31d422b9e65a409dbee17bfe574cb9800ab91a07/%3Cimg%20src%3D%22eee.png%22%3E"><i class="icon-folder-open"></i><span><img src="eee.png"></span></a>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                     <td>
                     </td>
                </tr>
                <tr class="parity0">
                     <td>

A repository patch to create such files attached.

Attachments

0-cf7cf2c2524f.patch

Comments

Comment by Andrej Shadura, on 2015-01-14 16:46

I've got a patch ready.

Comment by Andrej Shadura, on 2015-01-22 10:36

Fixed in 61d7fff