[vlc-commits] lua http: fix two xss vulnerabilities
Ludovic Fauvet
git at videolan.org
Mon Apr 8 15:01:54 CEST 2013
vlc | branch: master | Ludovic Fauvet <etix at videolan.org> | Mon Apr 8 14:10:50 2013 +0200| [bf02b8dd211d5a52aa301a9a2ff4e73ed8195881] | committer: Ludovic Fauvet
lua http: fix two xss vulnerabilities
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=bf02b8dd211d5a52aa301a9a2ff4e73ed8195881
---
share/lua/http/requests/vlm_cmd.xml | 2 +-
share/lua/intf/http.lua | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/share/lua/http/requests/vlm_cmd.xml b/share/lua/http/requests/vlm_cmd.xml
index 2e49db3..10a9a4a 100644
--- a/share/lua/http/requests/vlm_cmd.xml
+++ b/share/lua/http/requests/vlm_cmd.xml
@@ -27,7 +27,7 @@
if _GET["command"] then
local msg = vlm:execute_command(_GET["command"])
if msg.value then
- print(msg.name,":",msg.value)
+ print(msg.name,":",vlc.strings.convert_xml_special_chars(msg.value))
end
else
?>No command<?vlc
diff --git a/share/lua/intf/http.lua b/share/lua/intf/http.lua
index 47e9651..ea6ce87 100644
--- a/share/lua/intf/http.lua
+++ b/share/lua/intf/http.lua
@@ -107,7 +107,8 @@ function callback_error(path,url,msg)
<title>Error loading ]]..url..[[</title>
</head>
<body>
-<h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information." or tostring(msg))..[[</pre>
+<h1>Error loading ]]..url..[[</h1><pre>]]..(config.no_error_detail and "Remove configuration option `no_error_detail' on the server to get more information."
+or vlc.strings.convert_xml_special_chars(tostring(msg)))..[[</pre>
<p>
<a href="http://www.videolan.org/">VideoLAN</a><br/>
<a href="http://www.lua.org/manual/5.1/">Lua 5.1 Reference Manual</a>
More information about the vlc-commits
mailing list