Merge pull request from GHSA-vf8w-xr57-hw87

* Fix formatstring vulnerability * Add hall of fame entry
svthalia · Jun 10, 2024 · 31e5b53 · 31e5b53
1 parent 133fb27
commit 31e5b53
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 5 deletions.
diff --git a/website/events/services.py b/website/events/services.py
@@ -64,7 +64,8 @@ def cancel_info_string(event: Event, cancel_status, reg_status):
             "Cancellation while on the waiting list will not result in a fine. However, you will not be able to re-register."
         ),
     }
-    return infos[cancel_status].format(fine=event.fine)
+    # No str.format(), see https://github.com/svthalia/concrexit/security/advisories/GHSA-vf8w-xr57-hw87.
+    return infos[cancel_status].replace("{fine}", str(event.fine))
 
 
 def registration_status(event: Event, registration: EventRegistration, member):
@@ -135,10 +136,13 @@ def registration_status_string(status, event: Event, registration: EventRegistra
     else:
         queue_pos = None
 
-    return status_msg.format(
-        fine=event.fine,
-        pos=queue_pos,
-        regstart=localize(timezone.localtime(event.registration_start)),
+    # Replace placeholders in the status message, but not using str.format(),
+    # which is vulnerable to injection attacks that could leak secrets.
+    # See https://github.com/svthalia/concrexit/security/advisories/GHSA-vf8w-xr57-hw87.
+    return (
+        status_msg.replace("{fine}", str(event.fine))
+        .replace("{pos}", str(queue_pos))
+        .replace("{regstart}", localize(timezone.localtime(event.registration_start)))
     )
 
 

diff --git a/website/singlepages/templates/singlepages/responsible_disclosure.html b/website/singlepages/templates/singlepages/responsible_disclosure.html
@@ -65,6 +65,7 @@ <h4>Exceptions</h4>
     <h2 class="section-title">Hall of fame</h2>
     <p>On this list, we thank the people that followed our responsible disclosure policy!</p>
     <ul>
+        <li><a href="https://www.linkedin.com/in/ward-theunisse" target="_blank">Ward Theunisse</a> for a very good report about a format string vulnerability.</li>
         <li><a href="https://www.linkedin.com/in/rhonny" target="_blank">Raju Basak</a> for informing us about a rate limiting problem on our password-reset form.</li>
         <li><a href="https://www.linkedin.com/in/ryh04x" target="_blank">Rhythm</a> for informing us about rate limiting and input validation that could be improved on the member registration form.</li>
     </ul>