Fix an XSS vulnerability in the system log (see CVE-2018-10125).

leofeyer · leofeyer · commit 89378e84ef71 · 2018-04-18T09:16:02.000+02:00
diff --git a/system/docs/CHANGELOG.md b/system/docs/CHANGELOG.md
@@ -1,6 +1,13 @@
 Contao Open Source CMS changelog
 ================================
 
+Version 3.5.35 (2018-04-18)
+---------------------------
+
+### Fixed
+Fix an XSS vulnerability in the system log (see CVE-2018-10125).
+
+
 Version 3.5.34 (2018-03-06)
 ---------------------------
 
diff --git a/system/modules/core/drivers/DC_Table.php b/system/modules/core/drivers/DC_Table.php
@@ -562,7 +562,7 @@ public function show()
 			$return .= '
   <tr>
     <td'.$class.'><span class="tl_label">'.$label.': </span></td>
-    <td'.$class.'>'.$row[$i].'</td>
+    <td'.$class.'>'.specialchars($row[$i]).'</td>
   </tr>';
 		}
 
diff --git a/system/modules/core/library/Contao/System.php b/system/modules/core/library/Contao/System.php
@@ -186,7 +186,7 @@ public static function log($strText, $strFunction, $strCategory)
 		}
 
 		\Database::getInstance()->prepare("INSERT INTO tl_log (tstamp, source, action, username, text, func, ip, browser) VALUES(?, ?, ?, ?, ?, ?, ?, ?)")
-							   ->execute(time(), (TL_MODE == 'FE' ? 'FE' : 'BE'), $strCategory, ($GLOBALS['TL_USERNAME'] ? $GLOBALS['TL_USERNAME'] : ''), specialchars($strText), $strFunction, $strIp, $strUa);
+							   ->execute(time(), (TL_MODE == 'FE' ? 'FE' : 'BE'), $strCategory, ($GLOBALS['TL_USERNAME'] ? $GLOBALS['TL_USERNAME'] : ''), specialchars($strText), $strFunction, $strIp, specialchars($strUa));
 
 		// HOOK: allow to add custom loggers
 		if (isset($GLOBALS['TL_HOOKS']['addLogEntry']) && is_array($GLOBALS['TL_HOOKS']['addLogEntry']))

Original file line number	Diff line number	Diff line change
`@@ -562,7 +562,7 @@ public function show()`
`562`	`562`	`$return .= '`
`563`	`563`	`<tr>`
`564`	`564`	`<td'.$class.'><span class="tl_label">'.$label.': </span></td>`
`565`		`- <td'.$class.'>'.$row[$i].'</td>`
	`565`	`+ <td'.$class.'>'.specialchars($row[$i]).'</td>`
`566`	`566`	`</tr>';`
`567`	`567`	`}`
`568`	`568`
Original file line number	Diff line number	Diff line change
`@@ -186,7 +186,7 @@ public static function log($strText, $strFunction, $strCategory)`
`186`	`186`	`}`
`187`	`187`
`188`	`188`	`\Database::getInstance()->prepare("INSERT INTO tl_log (tstamp, source, action, username, text, func, ip, browser) VALUES(?, ?, ?, ?, ?, ?, ?, ?)")`
`189`		`- ->execute(time(), (TL_MODE == 'FE' ? 'FE' : 'BE'), $strCategory, ($GLOBALS['TL_USERNAME'] ? $GLOBALS['TL_USERNAME'] : ''), specialchars($strText), $strFunction, $strIp, $strUa);`
	`189`	`+ ->execute(time(), (TL_MODE == 'FE' ? 'FE' : 'BE'), $strCategory, ($GLOBALS['TL_USERNAME'] ? $GLOBALS['TL_USERNAME'] : ''), specialchars($strText), $strFunction, $strIp, specialchars($strUa));`
`190`	`190`
`191`	`191`	`// HOOK: allow to add custom loggers`
`192`	`192`	`if (isset($GLOBALS['TL_HOOKS']['addLogEntry']) && is_array($GLOBALS['TL_HOOKS']['addLogEntry']))`