prepare release 4.1.2

harmonize flags for PHP's htmlspecialchars
adapt PHP tests for debug output
2026-02-14 10:27:57 +00:00 · 2023-02-20 17:52:00 +01:00 · 2023-02-20 17:44:59 +01:00 · 2023-02-20 17:44:32 +01:00 · 2023-02-20 17:44:29 +01:00
5 changed files with 50 additions and 37 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -20,7 +20,7 @@ project(nominatim)

 set(NOMINATIM_VERSION_MAJOR 4)
 set(NOMINATIM_VERSION_MINOR 1)
-set(NOMINATIM_VERSION_PATCH 1)
+set(NOMINATIM_VERSION_PATCH 2)

 set(NOMINATIM_VERSION "${NOMINATIM_VERSION_MAJOR}.${NOMINATIM_VERSION_MINOR}.${NOMINATIM_VERSION_PATCH}")

--- a/12
+++ b/12
@@ -1,3 +1,7 @@
+4.1.2
+
+ * fix XSS vulnerability in debug view
+
 4.1.1

 * fix crash on update when addr:interpolation receives an illegal value
@@ -48,6 +52,10 @@
 * add setup instructions for updates and systemd
 * drop support for PostgreSQL 9.5

+4.0.2
+
+ * fix XSS vulnerability in debug view
+
 4.0.1

 * fix initialisation error in replication script
@@ -86,6 +94,10 @@
 * add testing of installation scripts via CI
 * drop support for Python < 3.6 and Postgresql < 9.5

+3.7.3
+
+ * fix XSS vulnerability in debug view
+
 3.7.2

 * fix database check for reverse-only imports
--- a/lib-php/DebugHtml.php
+++ b/lib-php/DebugHtml.php
@@ -135,7 +135,7 @@ class Debug

    public static function printSQL($sSQL)
    {
-        echo '<p><tt><font color="#aaa">'.$sSQL.'</font></tt></p>'."\n";
+        echo '<p><tt><font color="#aaa">'.htmlspecialchars($sSQL, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401).'</font></tt></p>'."\n";
    }

    private static function outputVar($mVar, $sPreNL)
@@ -178,11 +178,12 @@ class Debug
        }

        if (is_string($mVar)) {
-            echo "'$mVar'";
-            return strlen($mVar) + 2;
+            $sOut = "'$mVar'";
+        } else {
+            $sOut = (string)$mVar;
        }

-        echo (string)$mVar;
-        return strlen((string)$mVar);
+        echo htmlspecialchars($sOut, ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401);
+        return strlen($sOut);
    }
 }
--- a/nominatim/version.py
+++ b/nominatim/version.py
@@ -25,7 +25,7 @@ from typing import Optional, Tuple
 # patch level when cherry-picking the commit with the migration.
 #
 # Released versions always have a database patch level of 0.
-NOMINATIM_VERSION = (4, 1, 1, 0)
+NOMINATIM_VERSION = (4, 1, 2, 0)

 POSTGRESQL_REQUIRED_VERSION = (9, 6)
 POSTGIS_REQUIRED_VERSION = (2, 2)
--- a/test/php/Nominatim/DebugTest.php
+++ b/test/php/Nominatim/DebugTest.php
@@ -37,14 +37,14 @@ class DebugTest extends \PHPUnit\Framework\TestCase
 <pre><b>Var1:</b>  <i>True</i></pre>
 <pre><b>Var2:</b>  <i>False</i></pre>
 <pre><b>Var3:</b>  0</pre>
-<pre><b>Var4:</b>  'String'</pre>
-<pre><b>Var5:</b>  0 => 'one'
-       1 => 'two'
-       2 => 'three'</pre>
-<pre><b>Var6:</b>  'key' => 'value'
-       'key2' => 'value2'</pre>
+<pre><b>Var4:</b>  &#039;String&#039;</pre>
+<pre><b>Var5:</b>  0 => &#039;one&#039;
+       1 => &#039;two&#039;
+       2 => &#039;three&#039;</pre>
+<pre><b>Var6:</b>  &#039;key&#039; => &#039;value&#039;
+       &#039;key2&#039; => &#039;value2&#039;</pre>
 <pre><b>Var7:</b>  me as string</pre>
-<pre><b>Var8:</b>  'value', 'value2'</pre>
+<pre><b>Var8:</b>  &#039;value&#039;, &#039;value2&#039;</pre>

 EOT
        );
@@ -64,10 +64,10 @@ EOT
    public function testDebugArray()
    {
        $this->expectOutputString(<<<EOT
-<pre><b>Arr0:</b>  'null'</pre>
-<pre><b>Arr1:</b>  'key1' => 'val1'
-       'key2' => 'val2'
-       'key3' => 'val3'</pre>
+<pre><b>Arr0:</b>  &#039;null&#039;</pre>
+<pre><b>Arr1:</b>  &#039;key1&#039; => &#039;val1&#039;
+       &#039;key2&#039; => &#039;val2&#039;
+       &#039;key3&#039; => &#039;val3&#039;</pre>

 EOT
        );
@@ -93,12 +93,12 @@ EOT
    <th><small>1</small></th>
  </tr>
  <tr>
-    <td><pre>'one'</pre></td>
-    <td><pre>'two'</pre></td>
+    <td><pre>&#039;one&#039;</pre></td>
+    <td><pre>&#039;two&#039;</pre></td>
  </tr>
  <tr>
-    <td><pre>'three'</pre></td>
-    <td><pre>'four'</pre></td>
+    <td><pre>&#039;three&#039;</pre></td>
+    <td><pre>&#039;four&#039;</pre></td>
  </tr>
 </table>
 <b>Table4:</b>
@@ -109,9 +109,9 @@ EOT
    <th><small>key3</small></th>
  </tr>
  <tr>
-    <td><pre>'val1'</pre></td>
-    <td><pre>'val2'</pre></td>
-    <td><pre>'val3'</pre></td>
+    <td><pre>&#039;val1&#039;</pre></td>
+    <td><pre>&#039;val2&#039;</pre></td>
+    <td><pre>&#039;val3&#039;</pre></td>
  </tr>
 </table>

@@ -147,18 +147,18 @@ EOT
  </tr>
  <tr>
    <td><pre>group1</pre></td>
-    <td><pre>'val1'</pre></td>
-    <td><pre>'val2'</pre></td>
+    <td><pre>&#039;val1&#039;</pre></td>
+    <td><pre>&#039;val2&#039;</pre></td>
  </tr>
  <tr>
    <td><pre>group1</pre></td>
-    <td><pre>'one'</pre></td>
-    <td><pre>'two'</pre></td>
+    <td><pre>&#039;one&#039;</pre></td>
+    <td><pre>&#039;two&#039;</pre></td>
  </tr>
  <tr>
    <td><pre>group2</pre></td>
-    <td><pre>'val1'</pre></td>
-    <td><pre>'val2'</pre></td>
+    <td><pre>&#039;val1&#039;</pre></td>
+    <td><pre>&#039;val2&#039;</pre></td>
  </tr>
 </table>
 <b>Table4:</b>
@@ -171,15 +171,15 @@ EOT
  </tr>
  <tr>
    <td><pre>group1</pre></td>
-    <td><pre>'val1'</pre></td>
-    <td><pre>'val2'</pre></td>
-    <td><pre>'val3'</pre></td>
+    <td><pre>&#039;val1&#039;</pre></td>
+    <td><pre>&#039;val2&#039;</pre></td>
+    <td><pre>&#039;val3&#039;</pre></td>
  </tr>
  <tr>
    <td><pre>group1</pre></td>
-    <td><pre>'val1'</pre></td>
-    <td><pre>'val2'</pre></td>
-    <td><pre>'val3'</pre></td>
+    <td><pre>&#039;val1&#039;</pre></td>
+    <td><pre>&#039;val2&#039;</pre></td>
+    <td><pre>&#039;val3&#039;</pre></td>
  </tr>
 </table>
Author	SHA1	Message	Date
Sarah Hoffmann	63852d2252	prepare release 4.1.2	2023-02-20 17:52:00 +01:00
Sarah Hoffmann	5c3691fb64	harmonize flags for PHP's htmlspecialchars	2023-02-20 17:44:59 +01:00
Sarah Hoffmann	6d94af3b5a	adapt PHP tests for debug output	2023-02-20 17:44:32 +01:00
Sarah Hoffmann	a1592faf5f	properly encode special HTML characters in debug mode	2023-02-20 17:44:29 +01:00