1 files changed, 125 insertions, 0 deletions

diff --git a/debian/patches/CVE-2021-3427_1.patch b/debian/patches/CVE-2021-3427_1.patch
new file mode 100644
index 0000000..fca4f58
--- /dev/null
+++ b/debian/patches/CVE-2021-3427_1.patch
@@ -0,0 +1,125 @@
+commit a5503c0c606e196f368a58ea3d1b8457e76a3a31
+Author: Calum Lind <calumlind+deluge@gmail.com>
+Date:   Mon Feb 14 18:00:23 2022 +0000
+
+    [WebUI] Fix encoding HTML entities for torrent attributes
+    
+    Ensure all torrent attributes that might contain malicious HTML entities
+    are encoded.
+    
+    By allowing HTML entities to be rendered it enable malicious torrent
+    files to perform XSS attacks.
+    
+    Resolves: https://dev.deluge-torrent.org/ticket/3459
+
+diff --git a/deluge/ui/web/js/deluge-all/EditTrackersWindow.js b/deluge/ui/web/js/deluge-all/EditTrackersWindow.js
+index f6733aaa6..178fd583f 100644
+--- a/deluge/ui/web/js/deluge-all/EditTrackersWindow.js
++++ b/deluge/ui/web/js/deluge-all/EditTrackersWindow.js
+@@ -57,6 +57,7 @@ Deluge.EditTrackersWindow = Ext.extend(Ext.Window, {
+                     header: _('Tracker'),
+                     width: 0.9,
+                     dataIndex: 'url',
++                    tpl: new Ext.XTemplate('{url:htmlEncode}'),
+                 },
+             ],
+             columnSort: {
+diff --git a/deluge/ui/web/js/deluge-all/FilterPanel.js b/deluge/ui/web/js/deluge-all/FilterPanel.js
+index b6e5ec5ca..f1fade120 100644
+--- a/deluge/ui/web/js/deluge-all/FilterPanel.js
++++ b/deluge/ui/web/js/deluge-all/FilterPanel.js
+@@ -171,5 +171,5 @@ Deluge.FilterPanel.templates = {
+     tracker_host:
+         '<div class="x-deluge-filter" style="background-image: url(' +
+         deluge.config.base +
+-        'tracker/{filter});">{filter} ({count})</div>',
++        'tracker/{filter});">{filter:htmlEncode} ({count})</div>',
+ };
+diff --git a/deluge/ui/web/js/deluge-all/TorrentGrid.js b/deluge/ui/web/js/deluge-all/TorrentGrid.js
+index 198ec279f..ded3fb03b 100644
+--- a/deluge/ui/web/js/deluge-all/TorrentGrid.js
++++ b/deluge/ui/web/js/deluge-all/TorrentGrid.js
+@@ -17,7 +17,7 @@
+         return String.format(
+             '<div class="torrent-name x-deluge-{0}">{1}</div>',
+             r.data['state'].toLowerCase(),
+-            value
++            Ext.util.Format.htmlEncode(value)
+         );
+     }
+     function torrentSpeedRenderer(value) {
+@@ -62,7 +62,7 @@
+             '<div style="background: url(' +
+                 deluge.config.base +
+                 'tracker/{0}) no-repeat; padding-left: 20px;">{0}</div>',
+-            value
++            Ext.util.Format.htmlEncode(value)
+         );
+     }
+ 
+diff --git a/deluge/ui/web/js/deluge-all/add/AddWindow.js b/deluge/ui/web/js/deluge-all/add/AddWindow.js
+index a4aff067b..771543de3 100644
+--- a/deluge/ui/web/js/deluge-all/add/AddWindow.js
++++ b/deluge/ui/web/js/deluge-all/add/AddWindow.js
+@@ -93,6 +93,9 @@ Deluge.add.AddWindow = Ext.extend(Deluge.add.Window, {
+                     sortable: true,
+                     renderer: torrentRenderer,
+                     dataIndex: 'text',
++                    tpl: new Ext.XTemplate(
++                        '<div class="x-deluge-add-torrent-name">{text:htmlEncode}</div>'
++                    ),
+                 },
+             ],
+             stripeRows: true,
+diff --git a/deluge/ui/web/js/deluge-all/add/FilesTab.js b/deluge/ui/web/js/deluge-all/add/FilesTab.js
+index fed52282d..d712c023d 100644
+--- a/deluge/ui/web/js/deluge-all/add/FilesTab.js
++++ b/deluge/ui/web/js/deluge-all/add/FilesTab.js
+@@ -28,6 +28,7 @@ Deluge.add.FilesTab = Ext.extend(Ext.ux.tree.TreeGrid, {
+             header: _('Filename'),
+             width: 295,
+             dataIndex: 'filename',
++            tpl: new Ext.XTemplate('{filename:htmlEncode}'),
+         },
+         {
+             header: _('Size'),
+diff --git a/deluge/ui/web/js/deluge-all/details/DetailsTab.js b/deluge/ui/web/js/deluge-all/details/DetailsTab.js
+index fdb4f7f0d..f1da178b1 100644
+--- a/deluge/ui/web/js/deluge-all/details/DetailsTab.js
++++ b/deluge/ui/web/js/deluge-all/details/DetailsTab.js
+@@ -91,7 +91,9 @@ Deluge.details.DetailsTab = Ext.extend(Ext.Panel, {
+         for (var field in this.fields) {
+             if (!Ext.isDefined(data[field])) continue; // This is a field we are not responsible for.
+             if (data[field] == this.oldData[field]) continue;
+-            this.fields[field].dom.innerHTML = Ext.escapeHTML(data[field]);
++            this.fields[field].dom.innerHTML = Ext.util.Format.htmlEncode(
++                data[field]
++            );
+         }
+         this.oldData = data;
+     },
+diff --git a/deluge/ui/web/js/deluge-all/details/FilesTab.js b/deluge/ui/web/js/deluge-all/details/FilesTab.js
+index edc388d19..60de832a6 100644
+--- a/deluge/ui/web/js/deluge-all/details/FilesTab.js
++++ b/deluge/ui/web/js/deluge-all/details/FilesTab.js
+@@ -18,6 +18,7 @@ Deluge.details.FilesTab = Ext.extend(Ext.ux.tree.TreeGrid, {
+             header: _('Filename'),
+             width: 330,
+             dataIndex: 'filename',
++            tpl: new Ext.XTemplate('{filename:htmlEncode}'),
+         },
+         {
+             header: _('Size'),
+diff --git a/deluge/ui/web/js/deluge-all/details/PeersTab.js b/deluge/ui/web/js/deluge-all/details/PeersTab.js
+index 66d4a4b95..a1919630d 100644
+--- a/deluge/ui/web/js/deluge-all/details/PeersTab.js
++++ b/deluge/ui/web/js/deluge-all/details/PeersTab.js
+@@ -73,7 +73,7 @@
+                             header: _('Client'),
+                             width: 125,
+                             sortable: true,
+-                            renderer: fplain,
++                            renderer: 'htmlEncode',
+                             dataIndex: 'client',
+                         },
+                         {