adulau/cakephp2-php8
1
0
Fork 0
mirror of https://github.com/kamilwylegala/cakephp2-php8.git synced 2025-01-31 09:06:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix missing HTML encoding in Debugger

Browse source 
Fix missing HTML encoding when error messages contain HTML. This can
happen when user data is used as an offset in an array in an unchecked
way.

Thanks to Teppei Fukuda for reporting this issue via the responsible
security disclosure process.
This commit is contained in:
mark_story 2016-12-10 08:47:13 -05:00
parent 14192ba1e8
commit edfda47cf4
2 changed files with 19 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
lib/Cake/Test/Case/Utility/DebuggerTest.php
View file

@ -155,6 +155,24 @@ class DebuggerTest extends CakeTestCase {
$this->assertContains('$wrong = ''', $result[3], 'Context should be HTML escaped.');
}
/**
* test encodes error messages
*
* @return void
*/
public function testOutputEncodeDescription() {
set_error_handler('Debugger::showError');
$this->_restoreError = true;
ob_start();
$a = 'things';
$b = $a['<script>alert(1)</script>'];
$result = ob_get_clean();
$this->assertNotContains('<script>alert(1)', $result);
$this->assertContains('&lt;script&gt;alert(1)', $result);
}
/**
* Tests that changes in output formats using Debugger::output() change the templates used.
*

1
lib/Cake/Utility/Debugger.php
View file

@ -774,6 +774,7 @@ class Debugger {
if (!empty($tpl['escapeContext'])) {
$context = h($context);
$data['description'] = h($data['description']);
}
$infoData = compact('code', 'context', 'trace');