From patchwork Thu Feb 27 15:49:39 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lukas Fleischer <lfleischer@archlinux.org>
X-Patchwork-Id: 1525
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id 338DC174F3152
	for <patchwork@archlinux.org>; Thu, 27 Feb 2020 16:03:57 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIMWL_WL_HIGH=-0.001,
	DKIM_SIGNED=0.1,DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,
	MAILING_LIST_MULTI=-1,RCVD_IN_DNSWL_MED=-2.3,SPF_HELO_NONE=0.001,
	T_DMARC_POLICY_NONE=0.01 autolearn=ham autolearn_force=no version=3.4.4
X-Spam-BL-Results: <dns:70.91.198.88.list.dnswl.org> [127.0.9.2]
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Thu, 27 Feb 2020 16:03:57 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 4E1DB1979019D8;
	Thu, 27 Feb 2020 16:03:45 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id B0FB31979019D2;
	Thu, 27 Feb 2020 16:03:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=orion; t=1582819424;
	bh=X4a7eJyjC2ETtZ8kLHyL7sG+S27e+xkZ/qSIO+SDM8U=;
	h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe;
	b=bmDFkPkViGkPnzfQDCXiNUPYLzsx6c3se5Gc9wmiuoC/x/D+dM0+jHufvd/igNCaD
	 y8q8YQoO1EUcFvtocdoqClUfCvXBVagpwPa/ZDYE8oHeLaEkKFM2lx0+evbwG5OBZz
	 Xwkqw6QNX5xlKf8eKHADCrEiFVweZ+XRRxULzi8N/Q1dO69H8Lrutj50yoV359ijoo
	 xqdZepJjh4W1uEhpdwfVeFn2Dhcs11hunTGNJd1M5nB5WQZuv+Yocr1EERB+p+DNb2
	 qsWucUs75oT/wtvqmGf55vkQLI07ziNBdJR0Hm1okRU36bNSPnJXrNDndTZREJGVeH
	 ApBBbKO7Jbo2dYbyrC9oOheCJpk1+C9JmmViopzLq9cfKzi7zUUwknyHq9JxKmxScn
	 AVYDXxIuxaUU90FRAi9RHoxm/i8GzHBhODcGLB5JS8v6Z/ph4aN/kTk/UcaOTXvsrn
	 p+pKSW/f/MVIYX9qfysHp3fjASYxZCbPY+hRjd/7mxte8V+uvxGQ46brlfP60jVnK1
	 vZ3MjAboy0a0NzIHAdpM82NHrElGE/lI8X8Q1LfgnYTRl9l/IMEaghNEa8x75IcDoO
	 Obux6BKJIhamQsFCzDL1pnwu5ygCm7bI0hA/nskyqj5Lq7MWsXeJlOxWXqoha4Ot/z
	 +ywV9eNdn6195J28X9IBb3vQ=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id 7AD3029D16;
	Thu, 27 Feb 2020 15:53:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
	s=luna2; t=1582818834;
	bh=X4a7eJyjC2ETtZ8kLHyL7sG+S27e+xkZ/qSIO+SDM8U=;
	h=From:To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:
	 List-Post:List-Help:List-Subscribe;
	b=gIgeCuIllFrw75mhFpXOdyCalsvNtu1vMRfoF/Sew1aDrE9O305vnXPvm8dmG5G00
	 Luse0R2b+QW8kL4vkgXhGkoqlTg9DWB+f+OTa9fnAsD6WM+cbhJ6x33k5i1zJSELdL
	 G/tirUZusiBtE31CB7pwFQ4Y5hc6BeSI/6I/NW+E3TEjG+YndJRsed95vb4H8IXTV+
	 HtK5MoEqRHMQcEXJRWo94hFgyrWjKO5dTNFcl42jiruSGy2Hyd4rVT6whcBUB+D2ky
	 KtFmm9l6hjczG1wzhhHDOJn/EmJ0hjs+S0AC0vsL+NVCf8LTLb8LXtpHXblxzvI+yv
	 OK5/Xq4RXDGTtjnTw1ogPvMPS/HrSdjmxybyI+y37GKiNmlEk3zkKWsF3JDINxehwk
	 WK6drTsgrwH5zHGwEND2n9Oy6AGd8ttyInJ7oPezJTjnLCrAsZ1PXBk6vKZKKJbbgj
	 tl7xzZ64xaFQvyKq97yf53VYOZPw+9ZihV+5/lnic1btUFFT7tnM76lVcG8R7Hrn9I
	 WdWiH+0WmSuFg3e/ippyNyOwy2h8nym8UDMw9s3fvcw37tjnK0O0mn+ze9j6WyQ7Wz
	 B3Tq+mIHv38qf3YzVplL3jbZV01TkPHUK+DMWAKID0nOSutzN52Dd7NohyAtLMKW4l
	 9iikQgz8kqXIgmk1MzNf0Qfs=
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 0C5C929D02
 for <aur-dev@lists.archlinux.org>; Thu, 27 Feb 2020 15:50:34 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Thu, 27 Feb 2020 15:50:34 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id 30C691978BEAE5
 for <aur-dev@lists.archlinux.org>; Thu, 27 Feb 2020 15:50:18 +0000 (UTC)
Received: from localhost (unknown
 [IPv6:2a02:8070:24e4:b800:b66b:fcff:fe3e:6273])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 (Authenticated sender: lfleischer)
 by orion.archlinux.org (Postfix) with ESMTPSA id 884781978B8A47
 for <aur-dev@archlinux.org>; Thu, 27 Feb 2020 15:49:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org;
 s=orion; t=1582818586;
 bh=X4a7eJyjC2ETtZ8kLHyL7sG+S27e+xkZ/qSIO+SDM8U=;
 h=From:To:Subject:Date;
 b=emcpeTmh7xT7tTjCIAanhnJe/FeQLwJ3s0McOOWnoYQJLxNJ1qVsRSQoReskomCUB
 SQinK0V3WvinOAuPb2tc9QqGdRIzr8WjNViKPonCQoN3NX3vlu2b7sel6KXfuAQurk
 8abvdO78QY6Alm7nvmQMBFMkD3ytMUjM9hNHxBIoUL4o7IT5S1tQl+aP2nvKnRxOmF
 VKIpqY8cRKl+XuidEgrcHhDyVzCBnFJnxGkNWiaefirmrJQmJECTL+IyJARMkm8JTb
 vv4pEATpZN5TqEq82tpRII0ANRkTtIZd+SLWbfk+JJMMSzPYi0gHZvYELTUzlOTDzs
 wifqnb6osdIYrRPk35RUkgRGAu1KLs9Pg75+Sh1B0eQX8In+mYCNaR7XDaAqZp4EYp
 9ox8tgYymormuhVGYSoLli6hJkSN0ypRgbwHXiaawKpIFxiCbTLdmWy/722QizHh7+
 S6DtoCHiCQt6ZldsT2JSSN0qQtxW+wuXu55s/ByeeDBzmz0RCz/gN66JDkZ+3SS9ap
 NUcfw2ewTWBqKYA8YxWBghONRugG5UEyt0d3B/QeA2xqJNumEY48j36bvmco86iP/d
 Dk9G22S47uyehd5uCscefYNK4XA4pk+cpYZtb7vYmJ04krxOnkqtPB6AVTl5NKBYQM
 r1ASlP1gSfqcf8HZbkBkylws=
From: Lukas Fleischer <lfleischer@archlinux.org>
To: aur-dev@archlinux.org
Subject: [PATCH] Properly escape passwords in the account edit form
Date: Thu, 27 Feb 2020 16:49:39 +0100
Message-Id: <20200227154939.106533-1-lfleischer@archlinux.org>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

Addresses FS#65639.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
Our live setup at aur.archlinux.org is already patched.

 web/template/account_edit_form.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/web/template/account_edit_form.php b/web/template/account_edit_form.php
index a4ea994..4ce6b87 100644
--- a/web/template/account_edit_form.php
+++ b/web/template/account_edit_form.php
@@ -157,12 +157,12 @@
 		<legend><?= __("If you want to change the password, enter a new password and confirm the new password by entering it again.") ?></legend>
 		<p>
 			<label for="id_passwd1"><?= __("Password") ?>:</label>
-			<input type="password" size="30" name="P" id="id_passwd1" value="<?= $P ?>" />
+			<input type="password" size="30" name="P" id="id_passwd1" value="<?= htmlspecialchars($P, ENT_QUOTES) ?>" />
 		</p>
 
 		<p>
 			<label for="id_passwd2"><?= __("Re-type password") ?>:</label>
-			<input type="password" size="30" name="C" id="id_passwd2" value="<?= $C ?>" />
+			<input type="password" size="30" name="C" id="id_passwd2" value="<?= htmlspecialchars($C, ENT_QUOTES) ?>" />
 		</p>
 	</fieldset>
 	<?php endif; ?>