packages feed

keter 1.8.2 → 1.8.3

raw patch · 3 files changed

+12/−3 lines, 3 files

Files

ChangeLog.md view
@@ -1,6 +1,10 @@+## 1.8.3+++ HTML escape X-forwarded-host response as well.+ ## 1.8.2  -+ Fix XSS issue in the default response.++ Fix XSS issue in the default response for host not found.   (special thanks to Max @ulidtko for spotting and fixing this)  ## 1.8.1
Keter/Proxy.hs view
@@ -290,7 +290,12 @@ unknownHostResponse :: ByteString -> ByteString -> Wai.Response unknownHostResponse host body = Wai.responseBuilder     status200-    [("Content-Type", "text/html; charset=utf-8"), ("X-Forwarded-Host", host)]+    [("Content-Type", "text/html; charset=utf-8"),+     ("X-Forwarded-Host",+      -- if an attacker manages to insert line breaks somehow,+      -- this is also vulnerable.+      escapeHtml host+     )]     (copyByteString body)  escapeHtml :: ByteString -> ByteString
keter.cabal view
@@ -1,6 +1,6 @@ Cabal-version:       >=1.10 Name:                keter-Version:             1.8.2+Version:             1.8.3 Synopsis:            Web application deployment manager, focusing on Haskell web frameworks Description:         Hackage documentation generation is not reliable. For up to date documentation, please see: <http://www.stackage.org/package/keter>. Homepage:            http://www.yesodweb.com/