Module: check_mk
Branch: master
Commit: 899433f24d299f8a2d92248c97e161d74d717ec6
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=899433f24d299f…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Aug 3 12:19:14 2018 +0200
6423 FIX Fixed possible XSS in views with some filters
It was possible to inject some specific HTML tags (like the a-tag)
into the title of views which could be used to make users click on
it to execute some arbitrary javascript code.
Change-Id: I875f492607f7ebe2ac1583bdb7cea04e86957617
---
.werks/6423 | 13 +++++++++++++
cmk/gui/htmllib.py | 4 ++++
2 files changed, 17 insertions(+)
diff --git a/.werks/6423 b/.werks/6423
new file mode 100644
index 0000000..5545fe8
--- /dev/null
+++ b/.werks/6423
@@ -0,0 +1,13 @@
+Title: Fixed possible XSS in views with some filters
+Level: 1
+Component: multisite
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.6.0i1
+Date: 1533231517
+
+It was possible to inject some specific HTML tags (like the a-tag)
+into the title of views which could be used to make users click on
+it to execute some arbitrary javascript code.
diff --git a/cmk/gui/htmllib.py b/cmk/gui/htmllib.py
index 67fd7f1..d52128c 100644
--- a/cmk/gui/htmllib.py
+++ b/cmk/gui/htmllib.py
@@ -1900,6 +1900,10 @@ class html(HTMLGenerator):
self.open_table(class_="header")
self.open_tr()
self.open_td(width="*", class_="heading")
+ # HTML() is needed here to prevent a double escape when we do self._escape_attribute
+ # here and self.a() escapes the content (with permissive escaping) again. We don't want
+ # to handle "title" permissive.
+ title = HTML(self.escaper.escape_attribute(title))
self.a(title, href="#", onfocus="if (this.blur) this.blur();",
onclick="this.innerHTML=\'%s\'; document.location.reload();" % _("Reloading..."))
self.close_td()
Module: check_mk
Branch: master
Commit: 4507f84ace1e773ee0a53d0609005a5ec3b8952b
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=4507f84ace1e77…
Author: Tom Baerwinkel <tb(a)mathias-kettner.de>
Date: Thu Aug 2 17:21:39 2018 +0200
Make pylint work for imports from utils.py
Due to the way the dependencies were imported in __init__.py files
pylint was not able to check imports from utils.py. If e.g. a function
in cmk/gui/plugins/config/utils.py was made available via
cmk.gui.plugins.config in __init__.py pylint did not detect linting
errors when it was imported via cmk.gui.plugins.config. Errors were only
detected if the function were imported via cmk.gui.plugins.config.utils.
This is fixed now by introducing a load_plugins utility function which
is used instead.
Change-Id: I0fc6ee290ef2a0f4885ef3d471f0cdab866be481
---
cmk/gui/plugins/config/__init__.py | 8 ++----
cmk/gui/plugins/cron/__init__.py | 10 +++----
cmk/gui/plugins/dashboard/__init__.py | 8 ++----
cmk/gui/plugins/metrics/__init__.py | 8 ++----
cmk/gui/plugins/sidebar/__init__.py | 8 ++----
cmk/gui/plugins/userdb/__init__.py | 7 ++---
cmk/gui/plugins/views/__init__.py | 8 ++----
cmk/gui/plugins/views/icons/__init__.py | 8 ++----
cmk/gui/plugins/views/perfometers/__init__.py | 7 ++---
cmk/gui/plugins/visuals/__init__.py | 8 ++----
cmk/gui/plugins/wato/__init__.py | 8 ++----
cmk/plugin_loader.py | 39 +++++++++++++++++++++++++++
cmk_base/automations/__init__.py | 9 ++-----
cmk_base/modes/__init__.py | 8 ++----
14 files changed, 67 insertions(+), 77 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=4507f84ace…
Module: check_mk
Branch: master
Commit: b6af3a7547f6991e9fe2cf92c0e9749e145f8bec
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=b6af3a7547f699…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Aug 3 09:34:40 2018 +0200
6421 FIX Fixed interpretation of script tags when displaying werk texts
When werks are displayed in the GUI using the "Release notes" page and
a werk contained example "script" HTML tags, these tags were interpreted
by the browser and the containing scripts were executed.
Change-Id: I3ab965762920b6c78534a112fe7a169b04548405
---
.werks/6421 | 14 ++++++++++++++
cmk/gui/werks.py | 2 ++
2 files changed, 16 insertions(+)
diff --git a/.werks/6421 b/.werks/6421
new file mode 100644
index 0000000..a2722ec
--- /dev/null
+++ b/.werks/6421
@@ -0,0 +1,14 @@
+Title: Fixed interpretation of script tags when displaying werk texts
+Level: 1
+Component: multisite
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.6.0i1
+Date: 1533220249
+
+When werks are displayed in the GUI using the "Release notes" page and
+a werk contained example "script" HTML tags, these tags were interpreted
+by the browser and the containing scripts were executed in the context
+of the browser.
diff --git a/cmk/gui/werks.py b/cmk/gui/werks.py
index 1a639cc..846e8af 100644
--- a/cmk/gui/werks.py
+++ b/cmk/gui/werks.py
@@ -517,6 +517,8 @@ def render_werk_description(werk):
if in_list:
html_code += "</ul>"
+ html_code = html_code.replace("<script>", "<script>").replace("</script>", "</script>")
+
html_code += "</p>"
return html_code