Module: check_mk
Branch: master
Commit: cbaf3a1aa7ed272351f3c608ac79dedf20fbea6e
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=cbaf3a1aa7ed27…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Sep 13 20:08:41 2018 +0200
6567 SEC Fixed possible XSS on activate changes page
It was possible to trigger an XSS issue using the change messages
in some situations.
Change-Id: Iea724f0c3164c5685eb0564fc6d2143094507e43
---
.werks/6567 | 11 +++++++++++
cmk/gui/watolib.py | 6 ++++++
2 files changed, 17 insertions(+)
diff --git a/.werks/6567 b/.werks/6567
new file mode 100644
index 0000000..d89e952
--- /dev/null
+++ b/.werks/6567
@@ -0,0 +1,11 @@
+Title: Fixed possible XSS on activate changes page
+Level: 1
+Component: wato
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1536862088
+Class: security
+
+It was possible to trigger an XSS issue using the change messages
+in some situations.
diff --git a/cmk/gui/watolib.py b/cmk/gui/watolib.py
index 9022916..b91d36d 100644
--- a/cmk/gui/watolib.py
+++ b/cmk/gui/watolib.py
@@ -5152,6 +5152,12 @@ class ActivateChangesWriter(ActivateChanges):
else:
return obj.__class__.__name__, obj.ident()
+ # Using attrencode here is against our regular rule to do the escaping
+ # at the last possible time: When rendering. But this here is the last
+ # place where we can distinguish between HTML() encapsulated (already)
+ # escaped / allowed HTML and strings to be escaped.
+ text = html.attrencode(text)
+
self._save_change(site_id, {
"id" : change_id,
"action_name" : action_name,