Branch: refs/heads/master
Home:
https://github.com/tribe29/checkmk
Commit: c00f450f884d8a229b7d8ab3f0452ed802a1ae04
https://github.com/tribe29/checkmk/commit/c00f450f884d8a229b7d8ab3f0452ed80…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2020-10-21 (Wed, 21 Oct 2020)
Changed paths:
M cmk/gui/escaping.py
M tests/unit/cmk/gui/test_htmllib_Escaper.py
Log Message:
-----------
Rewrite matching a href unescape regex to separate attributes
The goal of this commit is to separate the values of the href and target
attributes in dedicated match groups. We also exclude the quotes from the
match groups to simplify the code.
Change-Id: I1e64946a1a426d81284b3173db43135ee0d1debc
Commit: e7fd8e4c90be490e4293ec91804d00ec01af5ca6
https://github.com/tribe29/checkmk/commit/e7fd8e4c90be490e4293ec91804d00ec0…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2020-10-21 (Wed, 21 Oct 2020)
Changed paths:
M cmk/gui/escaping.py
M tests/unit/cmk/gui/test_htmllib_Escaper.py
Log Message:
-----------
Prevent non http/https links from being unescaped
Our permissive HTML escaping is preserving some HTML tags, which includes basic
link tags (a tag with href and optional target attributes). Previous versions
were not inspecting the value of href, which made it possible to add links with
e.g. a "javascript:" protocol. This opened some XSS attack vectors.
After this change it is only possible to link to http and https protocols. All
other links will not be unescaped.
Change-Id: I6e029ecc52f3dd3fc1f213c7f809332e3e49b3ee
Commit: 8b2ec5192eb3dc29ca4a85b3e932bf56dd5b433a
https://github.com/tribe29/checkmk/commit/8b2ec5192eb3dc29ca4a85b3e932bf56d…
Author: Lars Michelsen <lm(a)tribe29.com>
Date: 2020-10-21 (Wed, 21 Oct 2020)
Changed paths:
A .werks/11501
Log Message:
-----------
11501 SEC Fix possible XSS using titles of views
Authenticated users that are allowed to configure and share custom views
could inject arbitrary JS code to all users which are permitted to view this
view.
Change-Id: Ib7f2e4523eff3b3a460c6558b13e160057dcfffd
Compare:
https://github.com/tribe29/checkmk/compare/1c2e8c2f6e49...8b2ec5192eb3