Module: check_mk
Branch: master
Commit: 379a7ffded29f2a8c0d3fada55ba5d44503755ea
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=379a7ffded29f2…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Nov 12 13:56:34 2014 +0100
#1499 SEC Fixed XSS injections in different places
Fixed different XSS injections in the Check_MK multisite code
where an authenticated user could inject custom script code
to be executed during page rendering.
---
.werks/1499 | 11 +++++++++++
ChangeLog | 1 +
web/htdocs/index.py | 8 ++++----
web/htdocs/sidebar.py | 2 +-
web/plugins/views/commands.py | 2 +-
5 files changed, 18 insertions(+), 6 deletions(-)
diff --git a/.werks/1499 b/.werks/1499
new file mode 100644
index 0000000..6f27c19
--- /dev/null
+++ b/.werks/1499
@@ -0,0 +1,11 @@
+Title: Fixed XSS injections in different places
+Level: 1
+Component: multisite
+Compatible: compat
+Version: 1.2.5i7
+Date: 1415796868
+Class: security
+
+Fixed different XSS injections in the Check_MK multisite code
+where an authenticated user could inject custom script code
+to be executed during page rendering.
diff --git a/ChangeLog b/ChangeLog
index d92276f..9cf93bd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -32,6 +32,7 @@
* 1508 Allow input of plugin output and perfdata when faking check results...
* 1493 Added config option "Default filter group" to set the initial
network topology view filter...
* 1497 Implemented password policy capabilities for local users...
+ * 1499 SEC: Fixed XSS injections in different places...
* 1164 FIX: Fixed links from servicegroup overviews to single servicegroups
* 1166 FIX: Also prevting stylesheet update issues during version updates (just like
for JS files)
* 1481 FIX: Fix broken layout of Host-, Service- and Contactgroup filters
diff --git a/web/htdocs/index.py b/web/htdocs/index.py
index 917fc0d..ca97019 100644
--- a/web/htdocs/index.py
+++ b/web/htdocs/index.py
@@ -270,7 +270,7 @@ def handler(req, fields = None, profiling = True):
html.write(_("Configuration error") + ": %s\n" % e)
elif not fail_silently:
html.header(_("Configuration Error"))
- html.show_error(unicode(e))
+ html.show_error(unicode(html.attrencode(e)))
html.footer()
apache.log_error(_("Configuration error: %s") % (e,),
apache.APLOG_ERR)
@@ -279,7 +279,7 @@ def handler(req, fields = None, profiling = True):
html.write(_("General error") + ": %s\n" % e)
elif not fail_silently:
html.header(_("Error"))
- html.show_error(unicode(e))
+ html.show_error(unicode(html.attrencode(e)))
html.footer()
apache.log_error(_("Error: %s") % (e,), apache.APLOG_ERR)
@@ -289,7 +289,7 @@ def handler(req, fields = None, profiling = True):
elif not fail_silently:
html.header(_("Data not found"))
html.show_error(_("The following query produced no
output:\n<pre>\n%s</pre>\n") % \
- e.query)
+ html.attrencode(e.query))
html.footer()
response_code = apache.HTTP_NOT_FOUND
@@ -298,7 +298,7 @@ def handler(req, fields = None, profiling = True):
html.write(_("Livestatus problem") + ": %s\n" % e)
elif not fail_silently:
html.header(_("Livestatus problem"))
- html.show_error(_("Livestatus problem: %s") % e)
+ html.show_error(_("Livestatus problem: %s") % html.attrencode(e))
html.footer()
else:
response_code = apache.HTTP_BAD_GATEWAY
diff --git a/web/htdocs/sidebar.py b/web/htdocs/sidebar.py
index a262c43..4f4e212 100644
--- a/web/htdocs/sidebar.py
+++ b/web/htdocs/sidebar.py
@@ -555,7 +555,7 @@ def ajax_switch_masterstate():
html.live.set_only_sites()
render_master_control()
else:
- html.write(_("Command %s/%d not found") % (column, state))
+ html.write(_("Command %s/%d not found") % (html.attrencode(column),
state))
def ajax_del_bookmark():
try:
diff --git a/web/plugins/views/commands.py b/web/plugins/views/commands.py
index 7c8ff69..7b24e2c 100644
--- a/web/plugins/views/commands.py
+++ b/web/plugins/views/commands.py
@@ -184,7 +184,7 @@ def command_fake_checks(cmdtag, spec, row):
if cmdtag == "SVC":
cmdtag = "SERVICE"
command = "PROCESS_%s_CHECK_RESULT;%s;%s;%s" % (cmdtag, spec, s,
pluginoutput)
- title = _("<b>manually set check results to %s</b>
for") % statename
+ title = _("<b>manually set check results to %s</b>
for") % html.attrencode(statename)
return command, title