[checkmk-commits] Check_MK Git: check_mk: #2389 SEC Fixed XSS using the _body_class parameter of views

Module: check_mk Branch: master Commit: d65dda742a9141ca9fa444010730aa31512d0308 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d65dda742a9141… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Tue Jun 30 10:42:31 2015 +0200 #2389 SEC Fixed XSS using the _body_class parameter of views It was possible to use the _body_class parameter of the status GUI views to inject HTML/Javascript code into the pages. The _body_class parameter, which was only used for internal purposes, has totally been removed now. --- .werks/2389 | 14 ++++++++++++++ ChangeLog | 1 + web/htdocs/htmllib.py | 12 +++++++----- web/htdocs/views.py | 3 --- web/plugins/dashboard/dashlets.py | 2 +- 5 files changed, 23 insertions(+), 9 deletions(-) diff --git a/.werks/2389 b/.werks/2389 new file mode 100644 index 0000000..f3d7ed6 --- /dev/null +++ b/.werks/2389 @@ -0,0 +1,14 @@ +Title: Fixed XSS using the _body_class parameter of views +Level: 1 +Component: multisite +Class: security +Compatible: compat +State: unknown +Version: 1.2.7i3 +Date: 1435653652 + +It was possible to use the _body_class parameter of the status GUI views +to inject HTML/Javascript code into the pages. + +The _body_class parameter, which was only used for internal purposes, has +totally been removed now. diff --git a/ChangeLog b/ChangeLog index ec8b852..7bce667 100644 --- a/ChangeLog +++ b/ChangeLog @@ -27,6 +27,7 @@ * 2385 SEC: Fixed possible reflected XSS on all GUI pages where users can produce unhandled exceptions... * 2387 SEC: Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters... * 2388 SEC: Fixed reflected XSS on the index page using the start_url parameter + * 2389 SEC: Fixed XSS using the _body_class parameter of views... * 2314 FIX: Availability: fixed exception when grouping by host or service group * 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views * 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http... diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index d6ffbef..fd3d5b7 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -114,6 +114,7 @@ class html: self.ignore_transids = False self.current_transid = None self.page_context = {} + self.body_classes = ['main'] # Time measurement self.times = {} @@ -865,17 +866,18 @@ class html: def immediate_browser_redirect(self, secs, url): self.javascript("set_reload(%s, '%s');" % (secs, url)) - def body_css_classes(self): - body_classes = [ "main" ] - if self.var("_body_class"): - body_classes.append(self.var("_body_class")) + def add_body_css_class(self, cls): + self.body_classes.append(cls) + + def get_body_css_classes(self): + body_classes = self.body_classes if self.screenshotmode: body_classes.append("screenshotmode") return " ".join(body_classes) def body_start(self, title='', **args): self.html_head(title, **args) - self.write('<body class="%s">' % self.body_css_classes()) + self.write('<body class="%s">' % self.get_body_css_classes()) def header(self, title='', **args): if self.output_format == "html": diff --git a/web/htdocs/views.py b/web/htdocs/views.py index 6181f53..a7e0dfe 100644 --- a/web/htdocs/views.py +++ b/web/htdocs/views.py @@ -2301,7 +2301,6 @@ def paint_header(view, p): # Important for links: # - Add the display options (Keeping the same display options as current) # - Link to _self (Always link to the current frame) - # - Keep the _body_class variable (e.g. for dashlets) thclass = '' onclick = '' title = '' @@ -2311,8 +2310,6 @@ def paint_header(view, p): params = [ ('sort', sort_url(view, painter, join_index)), ] - if html.has_var('_body_class'): - params.append(('_body_class', html.var('_body_class'))) if hasattr(html, 'title_display_options'): params.append(('display_options', html.title_display_options)) diff --git a/web/plugins/dashboard/dashlets.py b/web/plugins/dashboard/dashlets.py index ee74711..398f537 100644 --- a/web/plugins/dashboard/dashlets.py +++ b/web/plugins/dashboard/dashlets.py @@ -550,7 +550,7 @@ def dashlet_view(nr, dashlet): html.set_var('display_options', 'HRSIXL') html.set_var('_display_options', 'HRSIXL') - html.set_var('_body_class', 'dashlet') + html.add_body_css_class('dashlet') import views # FIXME: HACK, clean this up somehow views.load_views()