[checkmk-commits] 3297 SEC Fixes possible XSS in views sidebar snapin

Module: check_mk Branch: master Commit: 77f455273d4c9ec7b4243619c349d5229da0f17c URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=77f455273d4c9e… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Mon Mar 21 10:38:33 2016 +0100 3297 SEC Fixes possible XSS in views sidebar snapin Authenticated and permitted users could create views using a topic which might contains HTML code, for example script tags, that where executed when having the view listed in the views snapin. Making the JS code be executed by other users is only possible with view publish permissions which normally only admin users have. --- .werks/3297 | 15 +++++++++++++++ ChangeLog | 1 + web/htdocs/htmllib.py | 14 +++++++------- web/htdocs/wato.py | 13 +++++++------ web/htdocs/watolib.py | 9 +++++---- web/plugins/sidebar/shipped.py | 3 ++- web/plugins/sidebar/wato.py | 4 ++-- 7 files changed, 39 insertions(+), 20 deletions(-) diff --git a/.werks/3297 b/.werks/3297 new file mode 100644 index 0000000..7bd9f68 --- /dev/null +++ b/.werks/3297 @@ -0,0 +1,15 @@ +Title: Fixes possible XSS in views sidebar snapin +Level: 1 +Component: multisite +Class: security +Compatible: compat +State: unknown +Version: 1.2.9i1 +Date: 1458552307 + +Authenticated and permitted users could create views using +a topic which might contains HTML code, for example script tags, +that where executed when having the view listed in the views snapin. + +Making the JS code be executed by other users is only possible with +view publish permissions which normally only admin users have. diff --git a/ChangeLog b/ChangeLog index ba44d42..be4bac0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -96,6 +96,7 @@ * 3187 notification view: new filter for log command via regex * 3228 The BI Treestate painter now exports the aggregation tree as real json structure * 3288 Implemented grouping of services in table views... + * 3297 SEC: Fixes possible XSS in views sidebar snapin... * 3059 FIX: Fixed highlighting of availability timeline time slices * 3175 FIX: Fix timeranges of graphs that are embedded in a dashboard... * 3076 FIX: fixed broken views in check_mk raw edition diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index a505076..30512d5 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -1608,28 +1608,28 @@ class html(GUITester): if indent == "nform": self.write('<tr class=heading><td id="nform.%s.%s" %s colspan=2>' % (treename, id, onclick)) if icon: - self.write('<img class="treeangle title" src="images/icon_%s.png">' % icon) + self.write('<img class="treeangle title" src="images/icon_%s.png">' % self.attrencode(icon)) else: self.write('<img align=absbottom class="treeangle nform" src="images/%s_%s.png">' % (tree_img, isopen and "90" or "00")) - self.write('%s</td></tr>' % title) + self.write('%s</td></tr>' % self.attrencode(title)) else: if not icon: self.write('<img align=absbottom class="treeangle" id="treeimg.%s.%s" ' 'src="images/%s_%s.png" %s>' % (treename, id, tree_img, img_num, onclick)) - if title.startswith('<'): # custom HTML code - self.write(title) + if isinstance(title, HTML): # custom HTML code + self.write(self.attrencode(title)) if indent != "form": self.write("<br>") else: self.write('<b class="treeangle title" class=treeangle %s>' % (not title_url and onclick or "")) if icon: - self.write('<img class="treeangle title" src="images/icon_%s.png">' % icon) + self.write('<img class="treeangle title" src="images/icon_%s.png">' % self.attrencode(icon)) if title_url: - self.write('<a href="%s">%s</a>' % (title_url, title)) + self.write('<a href="%s">%s</a>' % (self.attrencode(title_url), self.attrencode(title))) else: - self.write(title) + self.write(self.attrencode(title)) self.write('</b><br>') indent_style = "padding-left: %dpx; " % (indent == True and 15 or 0) diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index be6b91b..cf17f2a 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -556,13 +556,13 @@ def show_subfolder_title(subfolder): if not config.wato_hide_filenames: title += ' (%s)' % subfolder.name() - html.write('<div class=title title="%s">' % title) + html.write('<div class=title title="%s">' % html.attrencode(title)) if subfolder.may("read"): html.write('<a href="%s">' % subfolder.url()) - html.write(subfolder.title()) + html.write(html.attrencode(subfolder.title())) html.write("</a>") else: - html.write(subfolder.title()) + html.write(html.attrencode(subfolder.title())) html.write('</div>') @@ -4597,7 +4597,7 @@ def render_logfile_linkinfo(linkinfo): else: return "" - return '<a href="%s">%s</a>' % (url, title) + return '<a href="%s">%s</a>' % (url, html.attrencode(title)) def get_timerange(t): @@ -4726,7 +4726,7 @@ def render_audit_log(log, what, with_filename = False, hilite_others=False): % _("This change has been made by another user") htmlcode += user + '</td>' - htmlcode += '</td><td width="100%%">%s</td></tr>\n' % text + htmlcode += '</td><td width="100%%">%s</td></tr>\n' % html.attrencode(text) htmlcode += "</table>" if what == 'audit': @@ -14186,7 +14186,8 @@ def mode_pattern_editor(phase): match_img = 'nmatch' match_title = reason - html.begin_foldable_container("rule", str(rulenr), True, "<b>Rule #%d</b>" % (rulenr + 1), indent = False) + html.begin_foldable_container("rule", str(rulenr), True, + HTML("<b>Rule #%d</b>" % (rulenr + 1)), indent = False) html.write('<table style="width:100%" class="data logwatch"><tr>') html.write('<th style="width:30px;">' + _('Match') + '</th>') html.write('<th style="width:50px;">' + _('State') + '</th>') diff --git a/web/htdocs/watolib.py b/web/htdocs/watolib.py index 699bbc1..3e2b283 100644 --- a/web/htdocs/watolib.py +++ b/web/htdocs/watolib.py @@ -481,8 +481,9 @@ class BaseFolder(WithPermissionsAndAttributes): keepvars.append(("mode", "folder")) def render_component(folder): - return '<a href="%s">%s</a>' % (html.makeuri_contextless([ ("folder", folder.path())] - + keepvars), folder.title()) + return '<a href="%s">%s</a>' % \ + (html.makeuri_contextless([ ("folder", folder.path())] + keepvars), + html.attrencode(folder.title())) def breadcrump_element_start(end = '', z_index = 0): html.write('<li style="z-index:%d;"><div class="left %s"></div>' % (z_index, end)) @@ -499,7 +500,7 @@ class BaseFolder(WithPermissionsAndAttributes): if link_to_folder: parts.append(render_component(self)) else: - parts.append(self.title()) + parts.append(html.attrencode(self.title())) # Render the folder path @@ -4292,7 +4293,7 @@ def render_condition_editor(tag_specs, varprefix=""): make_foldable = len(all_topics) > 1 for topic in all_topics: if make_foldable: - html.begin_foldable_container("topic", topic, True, "<b>%s</b>" % (_u(topic))) + html.begin_foldable_container("topic", topic, True, HTML("<b>%s</b>" % (_u(topic)))) html.write("<table class=\"hosttags\">") # Show main tags diff --git a/web/plugins/sidebar/shipped.py b/web/plugins/sidebar/shipped.py index fc593b0..9507cb9 100644 --- a/web/plugins/sidebar/shipped.py +++ b/web/plugins/sidebar/shipped.py @@ -1789,7 +1789,8 @@ def render_tag_tree_level(taggroups, path, cwd, title, tree): "svc_problems") if path: - html.begin_foldable_container("tag-tree", ".".join(map(str, path)), False, bullet + title) + html.begin_foldable_container("tag-tree", ".".join(map(str, path)), + False, HTML(bullet + title)) items = tree.items() items.sort() diff --git a/web/plugins/sidebar/wato.py b/web/plugins/sidebar/wato.py index fd9cef3..b8b008d 100644 --- a/web/plugins/sidebar/wato.py +++ b/web/plugins/sidebar/wato.py @@ -197,10 +197,10 @@ def render_tree_folder(f, js_func): html.write("<ul style='padding-left: 0px;'>") title = '<a class="link" href="#" onclick="%s(this, \'%s\');">%s (%d)</a>' % ( - js_func, f[".path"], f["title"], f[".num_hosts"]) + js_func, f[".path"], html.attrencode(f["title"]), f[".num_hosts"]) if not is_leaf: - html.begin_foldable_container('wato-hosts', "/" + f[".path"], False, title) + html.begin_foldable_container('wato-hosts', "/" + f[".path"], False, HTML(title)) for subfolder in subfolders: render_tree_folder(subfolder, js_func) html.end_foldable_container()