Module: check_mk
Branch: master
Commit: 24436ace2fe9a21790d0e9eec14ee14cd2e80050
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=24436ace2fe9a2…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Jul 24 12:54:19 2014 +0200
1063 SEC Fixed several XSS issues on different pages
Several pages like views and prediction pages missed to escape user
provided values before writing them back on the pages.
---
.werks/1062 | 9 +++++++++
.werks/1063 | 9 +++++++++
ChangeLog | 2 ++
web/htdocs/htmllib.py | 2 +-
web/plugins/views/commands.py | 2 +-
web/plugins/views/painters.py | 2 +-
werk | 2 +-
7 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/.werks/1062 b/.werks/1062
new file mode 100644
index 0000000..a6153e1
--- /dev/null
+++ b/.werks/1062
@@ -0,0 +1,9 @@
+Title: Fixed several XSS issues on different pages
+Level: 2
+Component: multisite
+Version: 1.2.5i5
+Date: 1406198826
+Class: security
+
+Some pages, like the views and prediction pages missed to escape values
+provided by the user.
diff --git a/.werks/1063 b/.werks/1063
new file mode 100644
index 0000000..c09be24
--- /dev/null
+++ b/.werks/1063
@@ -0,0 +1,9 @@
+Title: Fixed several XSS issues on different pages
+Level: 2
+Component: multisite
+Version: 1.2.5i5
+Date: 1406199218
+Class: security
+
+Several pages like views and prediction pages missed to escape user
+provided values before writing them back on the pages.
diff --git a/ChangeLog b/ChangeLog
index c06a11f..348e787 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -81,6 +81,8 @@
* 1052 SEC: index start URL can not be used to redirect to absolute URLs anymore...
* 1085 quicksearch: multiple hostname matches now lead to the searchhost view instead
of the hosts view...
* 1047 Virtual Host Tree: Allow to use topic as tree level...
+ * 1062 SEC: Fixed several XSS issues on different pages...
+ * 1063 SEC: Fixed several XSS issues on different pages...
* 0945 FIX: Sidebar snapin "Problem hosts": Now excludes hosts and services
in downtime
* 1036 FIX: doc/treasures/downtime: fix --url option, better error output
* 1074 FIX: Fix Virtual Host Tree snapin...
diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py
index afde184..be17fff 100644
--- a/web/htdocs/htmllib.py
+++ b/web/htdocs/htmllib.py
@@ -746,7 +746,7 @@ class html:
self.write('<table class=header><tr><td width="*"
class=heading>')
self.write('<a href="#" onfocus="if (this.blur)
this.blur();" '
'onclick="this.innerHTML=\'%s\';
document.location.reload();">%s</a></td>' %
- (_("Reloading..."), title))
+ (_("Reloading..."), self.attrencode(title)))
def top_heading_right(self):
cssclass = self.help_visible and "active" or "passive"
diff --git a/web/plugins/views/commands.py b/web/plugins/views/commands.py
index 77a0595..a5461a0 100644
--- a/web/plugins/views/commands.py
+++ b/web/plugins/views/commands.py
@@ -157,7 +157,7 @@ def command_fake_checks(cmdtag, spec, row):
for s in [0,1,2,3]:
statename = html.var("_fake_%d" % s)
if statename:
- pluginoutput = _("Manually set to %s by %s") % (statename,
config.user_id)
+ pluginoutput = _("Manually set to %s by %s") %
(html.attrencode(statename), config.user_id)
if cmdtag == "SVC":
cmdtag = "SERVICE"
command = "PROCESS_%s_CHECK_RESULT;%s;%s;%s" % (cmdtag, spec, s,
pluginoutput)
diff --git a/web/plugins/views/painters.py b/web/plugins/views/painters.py
index b05e5e6..6b8e2bc 100644
--- a/web/plugins/views/painters.py
+++ b/web/plugins/views/painters.py
@@ -1258,7 +1258,7 @@ def paint_host_group_memberlist(row):
for group in row["host_groups"]:
link = "view.py?view_name=hostgroup&hostgroup=" + group
if html.var("display_options"):
- link += "&display_options=%s" %
html.var("display_options")
+ link += "&display_options=%s" %
html.attrencode(html.var("display_options"))
links.append('<a href="%s">%s</a>' % (link,
group))
return "", ", ".join(links)
diff --git a/werk b/werk
index cc2db14..9f18bc5 100755
--- a/werk
+++ b/werk
@@ -249,7 +249,7 @@ def git_commit(werk, custom_files):
if prefix:
title = "%s %s" % (prefix, title)
- title = werk["id"] + " " + title
+ title = "%d %s" % (werk['id'], title)
if custom_files:
files_to_commit = custom_files