git.ipfire.org Git - ipfire-2.x.git/commit

author	Adolf Belka <adolf.belka@ipfire.org>
	Thu, 25 Sep 2025 11:12:52 +0000 (13:12 +0200)
committer	Michael Tremer <michael.tremer@ipfire.org>
	Thu, 2 Oct 2025 16:55:31 +0000 (16:55 +0000)
commit	9ceb7c7e8b3191109e7dd7c84444dce126996ee2
tree	e674ca7efb363583c43acb1fab43cbd0f4d577b3	tree \| snapshot
parent	e6a0ecf248d26c72f015d082e84ecd2772823c08	commit \| diff

proxy.cgi: Further fix for bug 13893

- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
   for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
   description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
   which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
   bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
   ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD

Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>