Module: check_mk
Branch: master
Commit: f5415dab2097902aa92180ca4434b4f32318d67d
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f5415dab209790…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jun 23 08:43:42 2014 +0200
SEC Valuespecs: Fixed several possible HTML injections in valuespecs
Several HTML injections in valuespecs of different types (mostly used in WATO)
were missing good escaping of values. This has been added to prevent HTML
code injections which could be used for XSS attacks. This only affects WATO
and logged in users which are permitted to use WATO and open the page
(e.g. the list of rules) which displays the values.
---
.werks/824 | 12 ++++++++++++
ChangeLog | 1 +
web/htdocs/valuespec.py | 8 ++++----
3 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/.werks/824 b/.werks/824
new file mode 100644
index 0000000..629d2e1
--- /dev/null
+++ b/.werks/824
@@ -0,0 +1,12 @@
+Title: Valuespecs: Fixed several possible HTML injections in valuespecs
+Level: 1
+Component: wato
+Version: 1.2.5i4
+Date: 1403505656
+Class: security
+
+Several HTML injections in valuespecs of different types (mostly used in WATO)
+were missing good escaping of values. This has been added to prevent HTML
+code injections which could be used for XSS attacks. This only affects WATO
+and logged in users which are permitted to use WATO and open the page
+(e.g. the list of rules) which displays the values.
diff --git a/ChangeLog b/ChangeLog
index 7492526..4ddd575 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,7 @@
WATO:
* 0987 New button for updating DNS cache...
+ * 0824 SEC: Valuespecs: Fixed several possible HTML injections in valuespecs...
* 0813 FIX: LDAP: Improved slightly missleading logging of LDAP sync actions...
* 0935 FIX: CPU utilization: increased maximum value to 10000...
* 0821 FIX: Reducing size of auth.php (needed for authorisation in NagVis) in large
environments...
diff --git a/web/htdocs/valuespec.py b/web/htdocs/valuespec.py
index 477ed21..31afeab 100644
--- a/web/htdocs/valuespec.py
+++ b/web/htdocs/valuespec.py
@@ -464,7 +464,7 @@ class EmailAddress(TextAscii):
if not value:
return TextAscii.value_to_text(self, value)
elif self._make_clickable:
- return '<a href="mailto:%s">%s</a>' % (value,
value)
+ return '<a href="mailto:%s">%s</a>' %
(html.attrencode(value), html.attrencode(value))
else:
return value
@@ -566,7 +566,7 @@ class HTTPUrl(TextAscii):
# any path component
return '<a %shref="%s">%s</a>' % (
(self._target and 'target="%s" ' % self._target or
""),
- url, text)
+ html.attrencode(url), html.attrencode(text))
class TextAreaUnicode(TextUnicode):
def __init__(self, **kwargs):
@@ -1031,7 +1031,7 @@ class DropdownChoice(ValueSpec):
return title.split(self._help_separator, 1)[0].strip()
else:
return title
- return _("(other: %s)" % value)
+ return _("(other: %s)" % html.attrencode(value))
def from_html_vars(self, varprefix):
sel = html.var(varprefix)
@@ -2224,7 +2224,7 @@ class Alternative(ValueSpec):
output = "%s<br>" % vs.title()
return output + vs.value_to_text(value)
else:
- return _("invalid:") + " " + str(value)
+ return _("invalid:") + " " + html.attrencode(str(value))
def from_html_vars(self, varprefix):
nr = int(html.var(varprefix + "_use"))