Item12285: Resolve MAKETEXT vulnerabilities CVE-2012-6329 and CVE-2012-6330.

Priority: Urgent
Current State: Closed
Released In: 1.1.7
Target Release: patch
Applies To: Engine
Component: MAKETEXT
Branches: Release01x01 trunk
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
The initial fix for this escapes the backslash by doubling it. This is also the fix used internal to Locale::Maketext. It appears save, and extensive testing verifies that it resolves the issue.

However there are a couple of problems with it that should be addressed for 1.1.7:
  • Any change to the string being translated will probably cause a lookup failure in the translation tables.
  • In some cases, the double-escaped string remains visible in the output.
  • The code is complicated because if both MAKETEXT and Locale::Maketext escape, more doubling of escapes happens.

I suspect the better solution would be to entity encode the \ as \ This encode has to be done in two places:
  • the MAKETEXT macro, lib/Foswiki/Macros/MAKETEXT.pm
  • The string extraction code lib/Foswiki/I18N/Extract.pm used to feed the translation tools.

Have I missed anything?
  • Should anything else be entity encoded before calling Locale::Maketext?
  • Is it safe to leave them encoded in the translated string?
  • Are there any considerations if escaping is used in the inside-out left-right rendering.

-- GeorgeClark - 18 Dec 2012

Setting this to Waiting For Release. I'm staying with the original escape backslashes fix. It works.

-- GeorgeClark - 22 Dec 2012
 
Topic revision: r24 - 01 Feb 2013, GeorgeClark
 
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. see CopyrightStatement. Creative Commons License