[checkmk-commits] Check_MK Git: check_mk: It was possible to use the view_name variable to inject HTML/Javascript

Module: check_mk Branch: master Commit: 18c7a774c9cf8764b044458b50e8d62a8ae8ae12 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=18c7a774c9cf87… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Tue Jun 30 10:49:08 2015 +0200 It was possible to use the view_name variable to inject HTML/Javascript code into the status GUI views. Conflicts: ChangeLog web/htdocs/htmllib.py --- .werks/2390 | 11 +++++++++++ ChangeLog | 1 + web/htdocs/htmllib.py | 2 +- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/.werks/2390 b/.werks/2390 new file mode 100644 index 0000000..27b905a --- /dev/null +++ b/.werks/2390 @@ -0,0 +1,11 @@ +Title: Fixed possible XSS issue on views +Level: 1 +Component: multisite +Class: security +Compatible: compat +State: unknown +Version: 1.2.7i3 +Date: 1435654030 + +It was possible to use the view_name variable to inject HTML/Javascript +code into the status GUI views. diff --git a/ChangeLog b/ChangeLog index 7bce667..0255535 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,7 @@ * 2387 SEC: Fixed XSS problem on all pages using confirm dialogs outputting user provided parameters... * 2388 SEC: Fixed reflected XSS on the index page using the start_url parameter * 2389 SEC: Fixed XSS using the _body_class parameter of views... + * 2390 SEC: Fixed possible XSS issue on views... * 2314 FIX: Availability: fixed exception when grouping by host or service group * 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views * 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http... diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index fd3d5b7..1d0b83f 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -1004,7 +1004,7 @@ class html: '<img class=statusicon src="images/icon_menu.png" title="%s">\n' % _("Add this view to..."), 'add_visual', 'add_visual', data='[\'%s\', %s, {\'name\': \'%s\'}]' % (mode_name, self.attrencode(repr(encoded_vars)), - self.var('view_name'))) + self.attrencode(self.var('view_name')))) for img, tooltip in self.status_icons.items(): if type(tooltip) == tuple: