Module: check_mk Branch: master Commit: c70e2449d3d4564d8fc0c78fd8ca423b0fdeea5e URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=c70e2449d3d456… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Fri Jul 22 18:45:33 2016 +0200 3719 FIX Fixed possible wrong encoding of audit log messages when editing global settings --- .werks/3719 | 10 ++++++++++ ChangeLog | 1 + web/htdocs/wato.py | 7 ++++--- web/htdocs/watolib.py | 6 +++++- 4 files changed, 20 insertions(+), 4 deletions(-) diff --git a/.werks/3719 b/.werks/3719 new file mode 100644 index 0000000..73ebcf8 --- /dev/null +++ b/.werks/3719 @@ -0,0 +1,10 @@ +Title: Fixed possible wrong encoding of audit log messages when editing global settings +Level: 1 +Component: wato +Class: fix +Compatible: compat +State: unknown +Version: 1.4.0i1 +Date: 1469205887 + + diff --git a/ChangeLog b/ChangeLog index e27eb62..1d70b85 100644 --- a/ChangeLog +++ b/ChangeLog @@ -499,6 +499,7 @@ * 3152 FIX: lvm_vgs: fixed exception in host-specific settings if rule for LVM groups is set * 3557 FIX: Web API: get_host/get_all_hosts action now also returns the nodes of cluster host * 3718 FIX: Changes not needing a core restart are not showing up pending changes anymore... + * 3719 FIX: Fixed possible wrong encoding of audit log messages when editing global settings Notifications: * 3263 Notifications: allow users to restrict by their contact groups... diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py index ff657d2..95185c4 100644 --- a/web/htdocs/wato.py +++ b/web/htdocs/wato.py @@ -4883,7 +4883,8 @@ def render_audit_log(log, what, with_filename = False, hilite_others=False): _("This change has been made by another user")) htmlcode += user + '</td>' - htmlcode += '</td><td width="100%%">%s</td></tr>\n' % html.attrencode(text) + # This must not be attrencoded: The entries are encoded when writing to the log. + htmlcode += '</td><td width="100%%">%s</td></tr>\n' % text htmlcode += "</table>" if what == 'audit': @@ -6815,8 +6816,8 @@ def mode_edit_configvar(phase, what = 'globalvars'): else: new_value = get_edited_value(valuespec) current_settings[varname] = new_value - msg = _("Changed global configuration variable %s to %s.") \ - % (varname, valuespec.value_to_text(new_value)) + msg = HTML(_("Changed global configuration variable %s to %s.") \ + % (varname, valuespec.value_to_text(new_value))) if siteid: save_sites(configured_sites, activate=False) diff --git a/web/htdocs/watolib.py b/web/htdocs/watolib.py index d01c1b9..eb5435d 100644 --- a/web/htdocs/watolib.py +++ b/web/htdocs/watolib.py @@ -175,7 +175,11 @@ def foreign_changes(): # linkinfo identifies the object operated on. It can be a Host or a Folder # or a text. def log_entry(linkinfo, action, message, logfilename, user_id = None): - message = make_utf8(message).strip() + # Using attrencode here is against our regular rule to do the escaping + # at the last possible time: When rendering. But this here is the last + # place where we can distinguish between HTML() encapsulated (already) + # escaped / allowed HTML and strings to be escaped. + message = make_utf8(html.attrencode(message)).strip() # linkinfo is either a Folder, or a Host or a hostname or None if isinstance(linkinfo, Folder):