[PATCH 0/2] XSS in Patchwork - CVE-2019-13122

[Daniel Axtens]

Andrew Donnellan discovered an XSS via the message-id field. A
malicious user could send a patch with a message ID that included a
script tag. Because of the quirks of the email RFCs, such a message ID
can survive being sent through many mail systems, including Gmail, and
be parsed and stored by Patchwork. When a user views a patch detail
page for the patch with this message id, the script would be run.

This is due to an erroneous mark_safe() in the template tag that
renders message IDs. This has been present since v1.1 of upstream
Patchwork, but does not affect the FreeDesktop fork. The bug is fixed
in patch 1. If you run a patchwork instance, you should apply it
immediately. There is also a test patch, patch 2, that you may find
helpful.

Over the last few days we have disclosed this bug to the admins of
patchwork instances that we could identify. We were hoping to give
people running instances a few more days but the embargo was
accidentally broken early, so we're letting you all know now.

I have already applied these patches to the git repository. I have
also backported the patches to 2.1 and 2.0, pushed them, and will do a
new release of both shortly.

Kind regards,
Daniel


Andrew Donnellan (2):
  templatetags: Do not mark output of msgid tag as safe
  tests: Add test for unescaped values in patch detail page

 patchwork/templatetags/patch.py |  3 ++-
 patchwork/tests/test_detail.py  | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

-- 
2.20.1