dev-util/reviewboard/files/CVE-2013-2209-sec.patch

From 4aaacbb1e628a80803ba1a55703db38fccdf7dbf Mon Sep 17 00:00:00 2001
From: Christian Hammond <chipx86@chipx86.com>
Date: Fri, 21 Jun 2013 23:33:16 -0700
Subject: [PATCH] Fix an XSS vulnerability in the reviews dropdown.

The reviews dropdown had a bad vulnerability where it would assume the
user's full name is valid HTML. This allowed the user to craft a script
tag that would be executed every time the name appeared in the dropdown.

This vulnerability exists in 1.6.x, 1.7.x, and the in-development 1.8.
There are no known attacks in the wild.

This was reported by Craig Young at Tripwire.
#---
# reviewboard/htdocs/media/rb/js/reviews.js | 6 ++++--
# 1 file changed, 4 insertions(+), 2 deletions(-)
 
#diff --git a/reviewboard/htdocs/media/rb/js/reviews.js b/reviewboard/htdocs/media/rb/js/reviews.js
#index 6340744..035872f 100644
#--- a/reviewboard/htdocs/media/rb/js/reviews.js
#+++ b/reviewboard/htdocs/media/rb/js/reviews.js
#@@ -352,10 +352,12 @@ $.fn.reviewsAutoComplete = function(options) {
#         $(this)
#             .autocomplete({
#                 formatItem: function(data) {
#-                    var s = data[options.nameKey];
#+                    var s = data[options.nameKey],
#+                        desc;
#
#                     if (options.descKey) {
#-                        s += " <span>(" + data[options.descKey] + ")</span>";
#+                        desc = $('<div/>').text(data[options.descKey]).html();
#+                        s += " <span>(" + desc + ")</span>";
#                     }
# 
 #                    return s;
#-- 
#1.8.1.6
diff -ur ReviewBoard-1.7.7.1.orig/reviewboard/htdocs/static/rb/js/reviews.js ReviewBoard-1.7.7.1/reviewboard/htdocs/static/rb/js/reviews.js
--- reviewboard/htdocs/static/rb/js/reviews.js	2013-04-22 04:40:30.000000000 +0800
+++ reviewboard/htdocs/static/rb/js/reviews.js	2013-06-28 10:38:29.514298074 +0800
@@ -257,10 +257,12 @@
         $(this)
             .rbautocomplete({
                 formatItem: function(data) {
-                    var s = data[options.nameKey];
+                    var s = data[options.nameKey],
+                        desc;
 
                     if (options.descKey && data[options.descKey]) {
-                        s += " <span>(" + data[options.descKey] + ")</span>";
+                        desc = $('<div/>').text(data[options.descKey]).html();
+                        s += " <span>(" + desc + ")</span>";
                     }
 
                     return s;
diff -ur ReviewBoard-1.7.7.1.orig/reviewboard/static/rb/js/reviews.js ReviewBoard-1.7.7.1/reviewboard/static/rb/js/reviews.js
--- reviewboard/static/rb/js/reviews.js	2013-04-22 04:40:29.000000000 +0800
+++ reviewboard/static/rb/js/reviews.js	2013-06-28 10:40:09.922290974 +0800
@@ -257,10 +257,12 @@
         $(this)
             .rbautocomplete({
                 formatItem: function(data) {
-                    var s = data[options.nameKey];
+                    var s = data[options.nameKey],
+                       desc;
 
                     if (options.descKey && data[options.descKey]) {
-                        s += " <span>(" + data[options.descKey] + ")</span>";
+                        desc = $('<div/>').text(data[options.descKey]).html();
+                        s += " <span>(" + desc + ")</span>";
                     }
 
                     return s;