keter 1.8.2 → 1.8.3
raw patch · 3 files changed
+12/−3 lines, 3 files
Files
- ChangeLog.md +5/−1
- Keter/Proxy.hs +6/−1
- keter.cabal +1/−1
ChangeLog.md view
@@ -1,6 +1,10 @@+## 1.8.3+++ HTML escape X-forwarded-host response as well.+ ## 1.8.2 -+ Fix XSS issue in the default response.++ Fix XSS issue in the default response for host not found. (special thanks to Max @ulidtko for spotting and fixing this) ## 1.8.1
Keter/Proxy.hs view
@@ -290,7 +290,12 @@ unknownHostResponse :: ByteString -> ByteString -> Wai.Response unknownHostResponse host body = Wai.responseBuilder status200- [("Content-Type", "text/html; charset=utf-8"), ("X-Forwarded-Host", host)]+ [("Content-Type", "text/html; charset=utf-8"),+ ("X-Forwarded-Host",+ -- if an attacker manages to insert line breaks somehow,+ -- this is also vulnerable.+ escapeHtml host+ )] (copyByteString body) escapeHtml :: ByteString -> ByteString
keter.cabal view
@@ -1,6 +1,6 @@ Cabal-version: >=1.10 Name: keter-Version: 1.8.2+Version: 1.8.3 Synopsis: Web application deployment manager, focusing on Haskell web frameworks Description: Hackage documentation generation is not reliable. For up to date documentation, please see: <http://www.stackage.org/package/keter>. Homepage: http://www.yesodweb.com/