[checkmk-commits] Check_MK Git: check_mk: 1063 SEC Fixed several XSS issues on different pages

Module: check_mk Branch: master Commit: 24436ace2fe9a21790d0e9eec14ee14cd2e80050 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=24436ace2fe9a2… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Thu Jul 24 12:54:19 2014 +0200 1063 SEC Fixed several XSS issues on different pages Several pages like views and prediction pages missed to escape user provided values before writing them back on the pages. --- .werks/1062 | 9 +++++++++ .werks/1063 | 9 +++++++++ ChangeLog | 2 ++ web/htdocs/htmllib.py | 2 +- web/plugins/views/commands.py | 2 +- web/plugins/views/painters.py | 2 +- werk | 2 +- 7 files changed, 24 insertions(+), 4 deletions(-) diff --git a/.werks/1062 b/.werks/1062 new file mode 100644 index 0000000..a6153e1 --- /dev/null +++ b/.werks/1062 @@ -0,0 +1,9 @@ +Title: Fixed several XSS issues on different pages +Level: 2 +Component: multisite +Version: 1.2.5i5 +Date: 1406198826 +Class: security + +Some pages, like the views and prediction pages missed to escape values +provided by the user. diff --git a/.werks/1063 b/.werks/1063 new file mode 100644 index 0000000..c09be24 --- /dev/null +++ b/.werks/1063 @@ -0,0 +1,9 @@ +Title: Fixed several XSS issues on different pages +Level: 2 +Component: multisite +Version: 1.2.5i5 +Date: 1406199218 +Class: security + +Several pages like views and prediction pages missed to escape user +provided values before writing them back on the pages. diff --git a/ChangeLog b/ChangeLog index c06a11f..348e787 100644 --- a/ChangeLog +++ b/ChangeLog @@ -81,6 +81,8 @@ * 1052 SEC: index start URL can not be used to redirect to absolute URLs anymore... * 1085 quicksearch: multiple hostname matches now lead to the searchhost view instead of the hosts view... * 1047 Virtual Host Tree: Allow to use topic as tree level... + * 1062 SEC: Fixed several XSS issues on different pages... + * 1063 SEC: Fixed several XSS issues on different pages... * 0945 FIX: Sidebar snapin "Problem hosts": Now excludes hosts and services in downtime * 1036 FIX: doc/treasures/downtime: fix --url option, better error output * 1074 FIX: Fix Virtual Host Tree snapin... diff --git a/web/htdocs/htmllib.py b/web/htdocs/htmllib.py index afde184..be17fff 100644 --- a/web/htdocs/htmllib.py +++ b/web/htdocs/htmllib.py @@ -746,7 +746,7 @@ class html: self.write('<table class=header><tr><td width="*" class=heading>') self.write('<a href="#" onfocus="if (this.blur) this.blur();" ' 'onclick="this.innerHTML=\'%s\'; document.location.reload();">%s</a></td>' % - (_("Reloading..."), title)) + (_("Reloading..."), self.attrencode(title))) def top_heading_right(self): cssclass = self.help_visible and "active" or "passive" diff --git a/web/plugins/views/commands.py b/web/plugins/views/commands.py index 77a0595..a5461a0 100644 --- a/web/plugins/views/commands.py +++ b/web/plugins/views/commands.py @@ -157,7 +157,7 @@ def command_fake_checks(cmdtag, spec, row): for s in [0,1,2,3]: statename = html.var("_fake_%d" % s) if statename: - pluginoutput = _("Manually set to %s by %s") % (statename, config.user_id) + pluginoutput = _("Manually set to %s by %s") % (html.attrencode(statename), config.user_id) if cmdtag == "SVC": cmdtag = "SERVICE" command = "PROCESS_%s_CHECK_RESULT;%s;%s;%s" % (cmdtag, spec, s, pluginoutput) diff --git a/web/plugins/views/painters.py b/web/plugins/views/painters.py index b05e5e6..6b8e2bc 100644 --- a/web/plugins/views/painters.py +++ b/web/plugins/views/painters.py @@ -1258,7 +1258,7 @@ def paint_host_group_memberlist(row): for group in row["host_groups"]: link = "view.py?view_name=hostgroup&hostgroup=" + group if html.var("display_options"): - link += "&display_options=%s" % html.var("display_options") + link += "&display_options=%s" % html.attrencode(html.var("display_options")) links.append('<a href="%s">%s</a>' % (link, group)) return "", ", ".join(links) diff --git a/werk b/werk index cc2db14..9f18bc5 100755 --- a/werk +++ b/werk @@ -249,7 +249,7 @@ def git_commit(werk, custom_files): if prefix: title = "%s %s" % (prefix, title) - title = werk["id"] + " " + title + title = "%d %s" % (werk['id'], title) if custom_files: files_to_commit = custom_files