[checkmk-commits] [tribe29/checkmk] fdc83f: Rewrite matching a href unescape regex to separate...

Branch: refs/heads/1.6.0 Home: https://github.com/tribe29/checkmk Commit: fdc83feb6afa04ad48a6de5e211322850470a86f https://github.com/tribe29/checkmk/commit/fdc83feb6afa04ad48a6de5e211322850… Author: Lars Michelsen <lm(a)tribe29.com> Date: 2020-10-20 (Tue, 20 Oct 2020) Changed paths: M cmk/gui/htmllib.py M tests/unit/cmk/gui/test_htmllib_Escaper.py Log Message: ----------- Rewrite matching a href unescape regex to separate attributes The goal of this commit is to separate the values of the href and target attributes in dedicated match groups. We also exclude the quotes from the match groups to simplify the code. Change-Id: Iadcd8a252f0c8bd737e5ad5671b93cc875f71898 Commit: 87ceb966b1ae46947b696232af84a4f9f0ab74e1 https://github.com/tribe29/checkmk/commit/87ceb966b1ae46947b696232af84a4f9f… Author: Lars Michelsen <lm(a)tribe29.com> Date: 2020-10-20 (Tue, 20 Oct 2020) Changed paths: M cmk/gui/htmllib.py M tests/unit/cmk/gui/test_htmllib_Escaper.py Log Message: ----------- Prevent non http/https links from being unescaped Our permissive HTML escaping is preserving some HTML tags, which includes basic link tags (a tag with href and optional target attributes). Previous versions were not inspecting the value of href, which made it possible to add links with e.g. a "javascript:" protocol. This opened some XSS attack vectors. After this change it is only possible to link to http and https protocols. All other links will not be unescaped. Change-Id: If639df20428e46d5bdc7ef14dec659babd89f86d Commit: cada7adf232c5454dbdd4946c099c7b3d4f60ed7 https://github.com/tribe29/checkmk/commit/cada7adf232c5454dbdd4946c099c7b3d… Author: Lars Michelsen <lm(a)tribe29.com> Date: 2020-10-20 (Tue, 20 Oct 2020) Changed paths: A .werks/11501 Log Message: ----------- 11501 SEC Fix possible XSS using titles of views Authenticated users that are allowed to configure and share custom views could inject arbitrary JS code to all users which are permitted to view this view. Change-Id: Ib7f2e4523eff3b3a460c6558b13e160057dcfffd Compare: https://github.com/tribe29/checkmk/compare/121a72f1bdd3...cada7adf232c