Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2014-125098: Issue 225813002: Fix XSS issues in http_server's dir-listing and error-page.

A vulnerability was found in Dart http_server up to 0.9.5 and classified as problematic. Affected by this issue is the function VirtualDirectory of the file lib/src/virtual_directory.dart of the component Directory Listing Handler. The manipulation of the argument request.uri.path leads to cross site scripting. The attack may be launched remotely. Upgrading to version 0.9.6 is able to address this issue. The name of the patch is 27c1cbd8125bb0369e675eb72e48218496e48ffb. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225356.

CVE
#xss#vulnerability#google#chrome

Created:
6 years, 8 months ago by Anders Johnsen

Modified:
6 years, 8 months ago

Reviewers:
nweiz, Søren Gjesse, ahe

CC:
reviews_dartlang.org, kevmoo

Base URL:
https://dart.googlecode.com/svn/branches/bleeding_edge/dart

Visibility:
Public.

More Reviews

Description

Fix XSS issues in http_server’s dir-listing and error-page. BUG= [email protected] Committed: https://code.google.com/p/dart/source/detail?r=34769

Patch Set 1 #

Total comments: 4

Patch Set 2 : Remove debug code. #

Total comments: 6

Patch Set 3 : Also encode size and modified. #

Created: 6 years, 8 months ago

Download [raw] [tar.bz2]

Unified diffs

Side-by-side diffs

Delta from patch set

Stats (+65 lines, -19 lines)

Patch

M

pkg/http_server/lib/src/virtual_directory.dart

View

1 2

4 chunks

+23 lines, -11 lines

0 comments

Download

M

pkg/http_server/test/virtual_directory_test.dart

View

1 2

4 chunks

+42 lines, -8 lines

0 comments

Download

Messages

Total messages: 6 (0 generated)

Expand Messages | Collapse Messages

Anders Johnsen

6 years, 8 months ago (2014-04-04 11:48:34 UTC) #1

Søren Gjesse

lgtm https://codereview.chromium.org/225813002/diff/1/pkg/http_server/lib/src/virtual_directory.dart File pkg/http_server/lib/src/virtual_directory.dart (right): https://codereview.chromium.org/225813002/diff/1/pkg/http_server/lib/src/virtual_directory.dart#newcode288 pkg/http_server/lib/src/virtual_directory.dart:288: try { Indentation. https://codereview.chromium.org/225813002/diff/1/pkg/http_server/lib/src/virtual_directory.dart#newcode303 pkg/http_server/lib/src/virtual_directory.dart:303: print(e); Debug print? …

6 years, 8 months ago (2014-04-04 12:54:26 UTC) #2

Anders Johnsen

Will wait for Nathan to comment. https://codereview.chromium.org/225813002/diff/1/pkg/http_server/lib/src/virtual_directory.dart File pkg/http_server/lib/src/virtual_directory.dart (right): https://codereview.chromium.org/225813002/diff/1/pkg/http_server/lib/src/virtual_directory.dart#newcode288 pkg/http_server/lib/src/virtual_directory.dart:288: try { On …

6 years, 8 months ago (2014-04-04 12:58:13 UTC) #3

nweiz

https://codereview.chromium.org/225813002/diff/20001/pkg/http_server/lib/src/virtual_directory.dart File pkg/http_server/lib/src/virtual_directory.dart (right): https://codereview.chromium.org/225813002/diff/20001/pkg/http_server/lib/src/virtual_directory.dart#newcode297 pkg/http_server/lib/src/virtual_directory.dart:297: <td>$modified</td> Escape [modified] as well. Even though it doesn’t …

6 years, 8 months ago (2014-04-04 18:06:37 UTC) #4

Anders Johnsen

Thanks. Landing. https://codereview.chromium.org/225813002/diff/20001/pkg/http_server/lib/src/virtual_directory.dart File pkg/http_server/lib/src/virtual_directory.dart (right): https://codereview.chromium.org/225813002/diff/20001/pkg/http_server/lib/src/virtual_directory.dart#newcode297 pkg/http_server/lib/src/virtual_directory.dart:297: <td>$modified</td> On 2014/04/04 18:06:37, nweiz wrote: > …

6 years, 8 months ago (2014-04-07 07:03:08 UTC) #5

Anders Johnsen

6 years, 8 months ago (2014-04-07 07:03:31 UTC) #6

Message was sent while issue was closed.

Committed patchset #3 manually as r34769 (presubmit successful).

Expand Messages | Collapse Messages

Issue 225813002: Fix XSS issues in http_server’s dir-listing and error-page. (Closed)
Created 6 years, 8 months ago by Anders Johnsen
Modified 6 years, 8 months ago
Reviewers: nweiz, Søren Gjesse, ahe
Base URL: https://dart.googlecode.com/svn/branches/bleeding_edge/dart
Comments: 10

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907