Branch: refs/heads/1.6.0
Home:
https://github.com/tribe29/checkmk
Commit: fdc83feb6afa04ad48a6de5e211322850470a86f
https://github.com/tribe29/checkmk/commit/fdc83feb6afa04ad48a6de5e211322850…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M cmk/gui/htmllib.py
M tests/unit/cmk/gui/test_htmllib_Escaper.py
Log Message:
-----------
Rewrite matching a href unescape regex to separate attributes
The goal of this commit is to separate the values of the href and target
attributes in dedicated match groups. We also exclude the quotes from the
match groups to simplify the code.
Change-Id: Iadcd8a252f0c8bd737e5ad5671b93cc875f71898
Commit: 87ceb966b1ae46947b696232af84a4f9f0ab74e1
https://github.com/tribe29/checkmk/commit/87ceb966b1ae46947b696232af84a4f9f…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M cmk/gui/htmllib.py
M tests/unit/cmk/gui/test_htmllib_Escaper.py
Log Message:
-----------
Prevent non http/https links from being unescaped
Our permissive HTML escaping is preserving some HTML tags, which includes basic
link tags (a tag with href and optional target attributes). Previous versions
were not inspecting the value of href, which made it possible to add links with
e.g. a "javascript:" protocol. This opened some XSS attack vectors.
After this change it is only possible to link to http and https protocols. All
other links will not be unescaped.
Change-Id: If639df20428e46d5bdc7ef14dec659babd89f86d
Commit: cada7adf232c5454dbdd4946c099c7b3d4f60ed7
https://github.com/tribe29/checkmk/commit/cada7adf232c5454dbdd4946c099c7b3d…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
A .werks/11501
Log Message:
-----------
11501 SEC Fix possible XSS using titles of views
Authenticated users that are allowed to configure and share custom views
could inject arbitrary JS code to all users which are permitted to view this
view.
Change-Id: Ib7f2e4523eff3b3a460c6558b13e160057dcfffd
Compare:
https://github.com/tribe29/checkmk/compare/121a72f1bdd3...cada7adf232c