Hi all,
We recently received a report from Teguh P. Alko about an issue affecting Jenkins. Input was not sanitized before adding it to the page. The fix is public here since the start of 2013:
https://github.com/jenkinsci/jenkins/commit/f8d2a0ba6c2e261f48287bdd95bd7a2d7a8d2d0e
This could be used for copy and paste attacks, with the end result being similar to that of cross-site scripting attacks. It has been assigned CVE-2013-6488.
Please credit at least "Teguh P. Alko" in any advisories.
I am Cc'ing Reed to see if he knows who the other independent reporter is (from that Jira "SECURITY-46" bug in the above commit; as I understand it those bugs are not made public but I could be wrong).
war/src/main/webapp/scripts/hudson-behavior.js
@@ -1635,7 +1635,7 @@ function createSearchBox(searchURL) {
function updatePos() {
function max(a,b) { if(a>b) return a; else return b; }
- sizer.innerHTML = box.value;
+ sizer.innerHTML = box.value.escapeHTML();
var w = max(sizer.offsetWidth,minW.offsetWidth);
box.style.width =
comp.style.width =