Module: check_mk
Branch: master
Commit: 380b27b93ce721f1ab561b143f23cc560ab7caaa
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=380b27b93ce721…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Fri Sep 18 10:31:39 2015 +0200
#2613 SEC Additional fix for refleced XSS on index page using start_url
The issue has already been addressed in werk #2388, but was not really
fixing the problem for all cases.
---
.werks/2613 | 11 +++++++++++
ChangeLog | 1 +
web/htdocs/main.py | 2 +-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/.werks/2613 b/.werks/2613
new file mode 100644
index 0000000..2ae4414
--- /dev/null
+++ b/.werks/2613
@@ -0,0 +1,11 @@
+Title: Additional fix for refleced XSS on index page using start_url
+Level: 1
+Component: multisite
+Class: security
+Compatible: compat
+State: unknown
+Version: 1.2.7i3
+Date: 1442565029
+
+The issue has already been addressed in werk #2388, but was not really
+fixing the problem for all cases.
diff --git a/ChangeLog b/ChangeLog
index d439275..92b5031 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -209,6 +209,7 @@
* 2491 Allow clickable URLs in comments and downtime texts...
* 2512 Custom Icons/Actions: URLs target frames can now be configured...
* 2612 SEC: Fixed possible XSS on service detail page using the long service
output...
+ * 2613 SEC: Additional fix for refleced XSS on index page using start_url...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older
customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
diff --git a/web/htdocs/main.py b/web/htdocs/main.py
index 2ce6dd8..8133673 100644
--- a/web/htdocs/main.py
+++ b/web/htdocs/main.py
@@ -36,7 +36,7 @@ def page_index():
start_url = default_start_url
# Also prevent using of "javascript:" URLs which could used to inject code
- if start_url.startswith('javascript:'):
+ if start_url.lower().startswith('javascript:'):
start_url = default_start_url
if "%s" in config.page_heading: