Fixes #101: Add escape for CVE-2017-12097

ejschmitt / delayed_job_web

Resque like web interface for delayed job

MIT License

478 stars 188 forks source link

Fixes #101: Add escape for CVE-2017-12097 #104

Closed breckenedge closed 6 years ago

breckenedge commented 6 years ago

Triggered by including HTML in the queues param which is then combined with an A tag in raw HTML via the url_path (alias u) helper. Fixed by adding a CGI escape to the helper.

https://nvd.nist.gov/vuln/detail/CVE-2017-12097

andyatkinson commented 6 years ago

delayed_job_web 1.4.2 was released, please update and reply back here if it's working ok.

breckenedge commented 6 years ago

delayed_job_web 1.4.2 was released, please update and reply back here if it's working ok.

Thank you! It's deployed and working OK.