Module: check_mk
Branch: master
Commit: 1c45c95ec37eb2d84ddd55eae6785eb0c16ca229
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=1c45c95ec37eb2…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Thu Sep 13 20:21:50 2018 +0200
6568 SEC Fixed possible XSS on custom icon management page
Using icons with specific names it was possible to trigger an XSS
on the icon administration page which only affected admin users.
Change-Id: I43884cb20481316a6a1babbaac75f84ec34e133c
---
.werks/6568 | 11 +++++++++++
cmk/gui/wato/__init__.py | 4 ++--
2 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/.werks/6568 b/.werks/6568
new file mode 100644
index 0000000..c0866d4
--- /dev/null
+++ b/.werks/6568
@@ -0,0 +1,11 @@
+Title: Fixed possible XSS on custom icon management page
+Level: 1
+Component: wato
+Compatible: compat
+Edition: cre
+Version: 1.6.0i1
+Date: 1536862847
+Class: security
+
+Using icons with specific names it was possible to trigger an XSS
+on the icon administration page which only affected admin users.
diff --git a/cmk/gui/wato/__init__.py b/cmk/gui/wato/__init__.py
index 5608a27..86b72d0 100644
--- a/cmk/gui/wato/__init__.py
+++ b/cmk/gui/wato/__init__.py
@@ -14128,8 +14128,8 @@ class ModeIcons(WatoMode):
html.icon_button(delete_url, _("Delete this Icon"),
"delete")
table.cell(_("Icon"), html.render_icon(icon_name),
css="buttons")
- table.cell(_("Name"), icon_name)
- table.cell(_("Category"),
IconSelector.category_alias(category_name))
+ table.text_cell(_("Name"), icon_name)
+ table.text_cell(_("Category"),
IconSelector.category_alias(category_name))
table.end()