From bf2274c8a4fb120a6b22972d4e39fd4315f053f8 Mon Sep 17 00:00:00 2001 From: Brian Carrier Date: Wed, 8 Oct 2008 22:03:00 +0000 Subject: [PATCH] added more entity escaping --- CHANGES.txt | 3 +++ lib/Caseman.pm | 49 +++++++++++++++++++++++++++++-------------------- 2 files changed, 32 insertions(+), 20 deletions(-) diff --git a/CHANGES.txt b/CHANGES.txt index 2b963e1830..9d386e9ed5 100644 --- a/CHANGES.txt +++ b/CHANGES.txt @@ -13,6 +13,9 @@ w/out encoding HTML entities. Reported by Russ McRee. 10/01/08: Update: HFS support is enabled if TSK was compiled with support for it. +10/08/08: Bug Fix: Added some more HTML entity escaping to case management +values (such as description). Reported by Daniel Medianero. + --------------------------- Version 2.10 -------------------------------- 2/20/08: Bug Fix: Added 'tsk' to the path for sorter to find the 'images' config file. Reported by Russell Reynolds. diff --git a/lib/Caseman.pm b/lib/Caseman.pm index 5c0414eb98..dd424bb874 100644 --- a/lib/Caseman.pm +++ b/lib/Caseman.pm @@ -326,7 +326,7 @@ sub read_case_config { next if ((/^\#/) || (/^\s+$/)); s/^\s+//; s/\s+$//; - $Caseman::cvals{$1} = $2 if (/^(\S+)\s+(.*)$/); + $Caseman::cvals{$1} = Print::html_encode($2) if (/^(\S+)\s+(.*)$/); } close(CONFIG); @@ -647,7 +647,7 @@ sub case_open { print " CHECKED"; $first = 1; } - print ">$c"; + print ">" . Print::html_encode($c) . ""; Caseman::read_case_config($c); @@ -720,11 +720,6 @@ sub case_details { read_case_config(); - $Caseman::cvals{'desc'} = " " - unless (exists $Caseman::cvals{'desc'}); - $Caseman::cvals{'created'} = " " - unless (exists $Caseman::cvals{'created'}); - print "

" . "
" . "\"Case" @@ -755,7 +750,9 @@ sub case_details { else { print "  "; } - print "$i\n"; + print "" + . Print::html_encode($i) + . "\n"; } print "\n" @@ -1343,14 +1340,14 @@ sub read_host_config { # desc XYZ elsif (/^desc\s+(.*)$/) { - $Caseman::host_desc = "$1"; + $Caseman::host_desc = Print::html_encode($1); } # hash databases - elsif (/^alert_db\s+'(.*)'$/) { + elsif (/^alert_db\s+'($::REG_HASHDB)'$/) { $Caseman::alert_db = "$1"; } - elsif (/^exclude_db\s+'(.*)'$/) { + elsif (/^exclude_db\s+'($::REG_HASHDB)'$/) { $Caseman::exclude_db = "$1"; } else { @@ -1883,7 +1880,7 @@ sub host_open { print " CHECKED"; $first = 1; } - print "> $h "; + print "> " . Print::html_encode($h) . " "; my $fname = Caseman::host_config_fname($h); open CONFIG, "<$fname" @@ -1895,7 +1892,7 @@ sub host_open { s/\s+$//; if (/^desc\s+(.*)$/) { - $desc = $1; + $desc = Print::html_encode($1); last; } } @@ -1927,7 +1924,7 @@ sub host_open { foreach my $i (@invs) { print "\n"; + print ">" . Print::html_encode($i) . "\n"; } print "\n"; } @@ -2061,21 +2058,27 @@ sub host_details { # Actual Directory "Directory:" - . "$::host_dir\n" + . "" + . Print::html_encode($::host_dir) + . "\n" . " \n" . # Alert Database "Alert Hash Database:" . "" - . (($Caseman::alert_db ne "") ? $Caseman::alert_db : " ") + . (($Caseman::alert_db ne "") + ? Print::html_encode($Caseman::alert_db) + : " ") . "\n" . # Exclude Database "Exclude Hash Database:" . "" - . (($Caseman::exclude_db ne "") ? $Caseman::exclude_db : " ") + . (($Caseman::exclude_db ne "") + ? Print::html_encode($Caseman::exclude_db) + : " ") . "\n" . "\n"; @@ -2229,7 +2232,10 @@ sub vol_open { $mnt[$i] = $1 if ($mnt[$i] =~ /^\d(.*?)--AUTOPSY--$::REG_VNAME$/o); print "" . "" . "$mnt[$i]"; + print ">" + . "" + . Print::html_encode($mnt[$i]) + . ""; # image name and ftype print @@ -2253,8 +2259,11 @@ sub vol_open { "  ( unalloc)$Caseman::vol2sname{$sort[$i]}$Caseman::vol2ftype{$sort[$i]}\n"; + print "> unalloc)" + . Print::html_encode($Caseman::vol2sname{$sort[$i]}) + . "" + . Print::html_encode($Caseman::vol2ftype{$sort[$i]}) + . "\n"; } # Begin Button