mirror of
https://git.yoctoproject.org/poky
synced 2026-05-07 16:59:22 +00:00
gi-docgen: fix CVE-2025-11687
CVE-2025-11687: A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS). Reference: [https://nvd.nist.gov/vuln/detail/CVE-2025-11687] Upstream patch: [https://gitlab.gnome.org/GNOME/gi-docgen/-/commit/c53d2640bfa5823bbdf33683d95c160267c0ec68] (From OE-Core rev: 76c1f08fadad94098bd265d662eb5a0408c95efc) Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com> Signed-off-by: Jinfeng Wang <jinfeng.wang.cn@windriver.com> Signed-off-by: Yoann Congal <yoann.congal@smile.fr> Signed-off-by: Paul Barker <paul@pbarker.dev>
This commit is contained in:
Zhang Peng
Paul Barker
@@ -0,0 +1,90 @@
|
||||
From 0e97b155ff1b15bc3173118561316d8ea28ec9b7 Mon Sep 17 00:00:00 2001
|
||||
From: Emmanuele Bassi <ebassi@gnome.org>
|
||||
Date: Fri, 10 Oct 2025 17:06:22 +0100
|
||||
Subject: [PATCH] Make sure to escape query strings
|
||||
|
||||
Unescaped query strings should not be passed to the HTML parser, to
|
||||
avoid unwanted execution of JavaScript.
|
||||
|
||||
The query is shown in the header of the search results, so we can easily
|
||||
split the header from the results; then we use a plain text node to
|
||||
represent the query, and let the browser escape it.
|
||||
|
||||
See: https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html
|
||||
|
||||
Fixes: #228
|
||||
|
||||
CVE: CVE-2025-11687
|
||||
Upstream-Status: Backport [https://gitlab.gnome.org/GNOME/gi-docgen/-/commit/c53d2640bfa5823bbdf33683d95c160267c0ec68]
|
||||
|
||||
Signed-off-by: Zhang Peng <peng.zhang1.cn@windriver.com>
|
||||
---
|
||||
gidocgen/templates/basic/search.js | 30 +++++++++++++++++++-----------
|
||||
1 file changed, 19 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/gidocgen/templates/basic/search.js b/gidocgen/templates/basic/search.js
|
||||
index 29c204f..628f0a6 100644
|
||||
--- a/gidocgen/templates/basic/search.js
|
||||
+++ b/gidocgen/templates/basic/search.js
|
||||
@@ -182,17 +182,24 @@ function hideSearchResults() {
|
||||
}
|
||||
}
|
||||
|
||||
-function renderResults(query, results) {
|
||||
- let html = "";
|
||||
+function createResultsTitle(query, n_results) {
|
||||
+ // Ensure we're returning an escaped query string, to ensure we
|
||||
+ // prevent XSS vulnerabilities
|
||||
+ let h1 = document.createElement("h1");
|
||||
+ let text = document.createTextNode("Results for “" + query + "” (" + n_results + ")");
|
||||
+ h1.appendChild(text)
|
||||
+ return h1;
|
||||
+}
|
||||
|
||||
- html += "<h1>Results for "" + query + "" (" + results.length + ")</h1>" +
|
||||
- "<div id=\"search-results\">"
|
||||
+function createResultsContent(results) {
|
||||
+ let search_results = document.createElement("div");
|
||||
+ search_results.setAttribute("id", "search-results");
|
||||
|
||||
if (results.length === 0) {
|
||||
- html += "No results found.";
|
||||
+ search_results.textContent = "No results found.";
|
||||
}
|
||||
else {
|
||||
- html += "<div class=\"results\"><dl>";
|
||||
+ let html = "<div class=\"results\"><dl>";
|
||||
results.forEach(function(item) {
|
||||
html += "<dt class=\"result " + TYPE_CLASSES[item.type] + "\">" +
|
||||
"<a href=\"" + item.href + "\">" + item.text + "</a>" +
|
||||
@@ -204,11 +211,11 @@ function renderResults(query, results) {
|
||||
"<dd>" + item.summary + "</dd>";
|
||||
});
|
||||
html += "</dl></div>";
|
||||
- }
|
||||
|
||||
- html += "</div>";
|
||||
+ search_results.innerHTML = html;
|
||||
+ }
|
||||
|
||||
- return html;
|
||||
+ return search_results;
|
||||
}
|
||||
|
||||
function showResults(query, results) {
|
||||
@@ -218,9 +225,10 @@ function showResults(query, results) {
|
||||
window.history.replaceState(refs.input.value, "", baseUrl + extra + window.location.hash);
|
||||
}
|
||||
|
||||
- window.title = "Results for: " + query;
|
||||
+ window.title = "Results for “" + query + "” (" + results.length + ")";
|
||||
window.scroll({ top: 0 })
|
||||
- refs.search.innerHTML = renderResults(query, results);
|
||||
+ refs.search.appendChild(createResultsTitle(query, results.length));
|
||||
+ refs.search.appendChild(createResultsContent(results));
|
||||
showSearchResults(search);
|
||||
}
|
||||
|
||||
--
|
||||
2.50.0
|
||||
|
||||
@@ -8,7 +8,10 @@ HOMEPAGE = "https://gnome.pages.gitlab.gnome.org/gi-docgen/"
|
||||
LICENSE = "GPL-3.0-or-later & Apache-2.0"
|
||||
LIC_FILES_CHKSUM = "file://gi-docgen.py;beginline=1;endline=5;md5=2dc0f1f01202478cfe813c0e7f80b326"
|
||||
|
||||
SRC_URI = "git://gitlab.gnome.org/GNOME/gi-docgen.git;protocol=https;branch=main"
|
||||
SRC_URI = "\
|
||||
git://gitlab.gnome.org/GNOME/gi-docgen.git;protocol=https;branch=main \
|
||||
file://CVE-2025-11687.patch \
|
||||
"
|
||||
|
||||
SRCREV = "96f2e9b93e1d8a5338eb05b87fd879856ab7b3cc"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user