Module: check_mk
Branch: master
Commit: 18c7a774c9cf8764b044458b50e8d62a8ae8ae12
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=18c7a774c9cf87…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jun 30 10:49:08 2015 +0200
It was possible to use the view_name variable to inject HTML/Javascript
code into the status GUI views.
Conflicts:
ChangeLog
web/htdocs/htmllib.py
---
.werks/2390 | 11 +++++++++++
ChangeLog | 1 +
web/htdocs/htmllib.py | 2 +-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/.werks/2390 b/.werks/2390
new file mode 100644
index 0000000..27b905a
--- /dev/null
+++ b/.werks/2390
@@ -0,0 +1,11 @@
+Title: Fixed possible XSS issue on views
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1435654030
+
+It was possible to use the view_name variable to inject HTML/Javascript
+code into the status GUI views.
diff --git a/ChangeLog b/ChangeLog
index 7bce667..0255535 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -28,6 +28,7 @@
* 2387 SEC: Fixed XSS problem on all pages using confirm dialogs outputting user
provided parameters...
* 2388 SEC: Fixed reflected XSS on the index page using the start_url parameter
* 2389 SEC: Fixed XSS using the _body_class parameter of views...
+ * 2390 SEC: Fixed possible XSS issue on views...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older
customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index fd3d5b7..1d0b83f 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -1004,7 +1004,7 @@ class html:
'<img class=statusicon src="images/icon_menu.png"
title="%s">\n' % _("Add this view to..."),
'add_visual', 'add_visual', data='[\'%s\',
%s, {\'name\': \'%s\'}]' %
(mode_name,
self.attrencode(repr(encoded_vars)),
- self.var('view_name')))
+
self.attrencode(self.var('view_name'))))
for img, tooltip in self.status_icons.items():
if type(tooltip) == tuple: