Module: check_mk
Branch: master
Commit: 6ecb1a6fe7e77ee0e4b5df938f1f5a864e18dd68
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=6ecb1a6fe7e77e…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Oct 22 14:59:13 2013 +0200
FIX: Improved user provided variable validation in view code
---
ChangeLog | 1 +
web/htdocs/htmllib.py | 14 ++++++++------
web/htdocs/views.py | 4 +++-
3 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index a5c9951..bc9b138 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -588,6 +588,7 @@
folders that do not exist locally
* FIX: correctly display sub-minute check/retry intervals
* FIX: fix logic of some numeric sorters
+ * FIX: Improved user provided variable validation in view code
WATO:
* FIX: fix layout of Auxiliary tags table
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index 115fef1..0be74f0 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -346,6 +346,7 @@ class html:
self.context_buttons_open = False
def context_button(self, title, url, icon=None, hot=False, id=None, bestof=None,
hover_title='', fkey=None):
+ title = self.attrencode(title)
display = "block"
if bestof:
counts = self.get_button_counts()
@@ -360,22 +361,23 @@ class html:
self.begin_context_buttons()
if icon:
- title = '<img src="images/icon_%s.png">%s' % (icon,
title)
+ title = '<img src="images/icon_%s.png">%s' %
(self.attrencode(icon), self.attrencode(title))
if id:
- idtext = " id='%s'" % id
+ idtext = " id='%s'" % self.attrencode(id)
else:
idtext = ""
- self.write('<div%s style="display:%s"
class="contextlink%s%s" ' % (idtext, display, hot and " hot" or
"", (fkey and self.keybindings_enabled) and " button" or
""))
+ self.write('<div%s style="display:%s"
class="contextlink%s%s" ' %
+ (idtext, display, hot and " hot" or "", (fkey and
self.keybindings_enabled) and " button" or ""))
self.context_button_hover_code(hot and "_hot" or "")
self.write('>')
- self.write('<a href="%s"' % url)
+ self.write('<a href="%s"' % self.attrencode(url))
if hover_title:
- self.write(' title="%s"' % hover_title)
+ self.write(' title="%s"' % self.attrencode(hover_title))
if bestof:
self.write(' onclick="count_context_button(this);
document.location=this.href; " ')
if fkey and self.keybindings_enabled:
title += '<div class=keysym>F%d</div>' % fkey
- self.add_keybinding([html.F1 + (fkey - 1)],
"document.location='%s';" % url)
+ self.add_keybinding([html.F1 + (fkey - 1)],
"document.location='%s';" % self.attrencode(url))
self.write('>%s</a></div>\n' % title)
def context_button_hover_code(self, what):
diff --git a/web/htdocs/views.py b/web/htdocs/views.py
index 5958fc0..f88a4f6 100644
--- a/web/htdocs/views.py
+++ b/web/htdocs/views.py
@@ -500,6 +500,8 @@ def page_edit_view():
if cloneuser:
mode = 'clone'
view = copy.deepcopy(html.multisite_views.get((cloneuser, viewname), None))
+ if not view:
+ raise MKUserError('cloneuser', _('The view does not
exist.'))
# Make sure, name is unique
if cloneuser == config.user_id: # Clone own view
newname = viewname + "_clone"
@@ -1135,7 +1137,7 @@ def page_view():
raise MKGeneralException(_("Missing the variable view_name in the
URL."))
view = html.available_views.get(view_name)
if not view:
- raise MKGeneralException(("No view defined with the name
'%s'.") % view_name)
+ raise MKGeneralException(("No view defined with the name
'%s'.") % html.attrencode(view_name))
show_view(view, True, True, True)