You are here: Foswiki>Tasks Web>Item12285 (01 Feb 2013, GeorgeClark)Edit Attach

Item12285: Resolve MAKETEXT vulnerabilities CVE-2012-6329 and CVE-2012-6330.

Priority: Urgent
Current State: Closed
Released In: 1.1.7
Target Release: patch
Applies To: Engine
Component: MAKETEXT
Branches: Release01x01 trunk
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
The initial fix for this escapes the backslash by doubling it. This is also the fix used internal to Locale::Maketext. It appears save, and extensive testing verifies that it resolves the issue.

However there are a couple of problems with it that should be addressed for 1.1.7:
  • Any change to the string being translated will probably cause a lookup failure in the translation tables.
  • In some cases, the double-escaped string remains visible in the output.
  • The code is complicated because if both MAKETEXT and Locale::Maketext escape, more doubling of escapes happens.

I suspect the better solution would be to entity encode the \ as \ This encode has to be done in two places:
  • the MAKETEXT macro, lib/Foswiki/Macros/
  • The string extraction code lib/Foswiki/I18N/ used to feed the translation tools.

Have I missed anything?
  • Should anything else be entity encoded before calling Locale::Maketext?
  • Is it safe to leave them encoded in the translated string?
  • Are there any considerations if escaping is used in the inside-out left-right rendering.

-- GeorgeClark - 18 Dec 2012

Setting this to Waiting For Release. I'm staying with the original escape backslashes fix. It works.

-- GeorgeClark - 22 Dec 2012
Topic revision: r24 - 01 Feb 2013, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy