Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 951111 Details for
Bug 1156299
CVE-2014-7811 Red Hat Satellite, Spacewalk: multiple XSS
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
SW-master/Sat5-latest patch
xss.patch (text/plain), 10.11 KB, created by
Grant Gainey
on 2014-10-27 18:30:09 UTC
(
hide
)
Description:
SW-master/Sat5-latest patch
Filename:
MIME Type:
Creator:
Grant Gainey
Created:
2014-10-27 18:30:09 UTC
Size:
10.11 KB
patch
obsolete
>diff --git a/java/code/src/com/redhat/rhn/domain/action/ActionFormatter.java b/java/code/src/com/redhat/rhn/domain/action/ActionFormatter.java >index af9f91a..3688429 100644 >--- a/java/code/src/com/redhat/rhn/domain/action/ActionFormatter.java >+++ b/java/code/src/com/redhat/rhn/domain/action/ActionFormatter.java >@@ -14,6 +14,8 @@ > */ > package com.redhat.rhn.domain.action; > >+import org.apache.commons.lang.StringEscapeUtils; >+ > import com.redhat.rhn.common.localization.LocalizationService; > import com.redhat.rhn.domain.action.server.ServerAction; > import com.redhat.rhn.domain.server.Server; >@@ -195,7 +197,7 @@ public class ActionFormatter { > } > retval.append("</br>"); > retval.append(ls.getMessage("system.event.details.returned", >- sa.getResultMsg(), sa.getResultCode())); >+ StringEscapeUtils.escapeHtml(sa.getResultMsg()), sa.getResultCode())); > retval.append(action.getHistoryDetails(server)); > return retval.toString(); > } >diff --git a/java/code/src/com/redhat/rhn/domain/action/scap/ScapAction.java b/java/code/src/com/redhat/rhn/domain/action/scap/ScapAction.java >index 638d512..83c2575 100644 >--- a/java/code/src/com/redhat/rhn/domain/action/scap/ScapAction.java >+++ b/java/code/src/com/redhat/rhn/domain/action/scap/ScapAction.java >@@ -14,6 +14,8 @@ > */ > package com.redhat.rhn.domain.action.scap; > >+import org.apache.commons.lang.StringEscapeUtils; >+ > import com.redhat.rhn.common.localization.LocalizationService; > import com.redhat.rhn.domain.action.Action; > import com.redhat.rhn.domain.server.Server; >@@ -49,11 +51,11 @@ public class ScapAction extends Action { > StringBuilder retval = new StringBuilder(); > retval.append("</br>"); > retval.append(ls.getMessage("system.event.scapPath")); >- retval.append(scapActionDetails.getPath()); >+ retval.append(StringEscapeUtils.escapeHtml(scapActionDetails.getPath())); > retval.append("</br>"); > retval.append(ls.getMessage("system.event.scapParams")); > retval.append(scapActionDetails.getParameters() == null ? "" : >- scapActionDetails.getParametersContents()); >+ StringEscapeUtils.escapeHtml(scapActionDetails.getParametersContents())); > if (this.getSuccessfulCount() > 0) { > retval.append("</br>"); > retval.append("<a href=\"/rhn/systems/details/audit/XccdfDetails.do?sid=" + >diff --git a/java/code/src/com/redhat/rhn/frontend/action/systems/sdc/SystemOverviewAction.java b/java/code/src/com/redhat/rhn/frontend/action/systems/sdc/SystemOverviewAction.java >index a7994f4..e36fd5e 100644 >--- a/java/code/src/com/redhat/rhn/frontend/action/systems/sdc/SystemOverviewAction.java >+++ b/java/code/src/com/redhat/rhn/frontend/action/systems/sdc/SystemOverviewAction.java >@@ -14,6 +14,22 @@ > */ > package com.redhat.rhn.frontend.action.systems.sdc; > >+import java.util.ArrayList; >+import java.util.Arrays; >+import java.util.Date; >+import java.util.HashMap; >+import java.util.Iterator; >+import java.util.List; >+import java.util.Map; >+ >+import javax.servlet.http.HttpServletRequest; >+import javax.servlet.http.HttpServletResponse; >+ >+import org.apache.commons.lang.StringEscapeUtils; >+import org.apache.struts.action.ActionForm; >+import org.apache.struts.action.ActionForward; >+import org.apache.struts.action.ActionMapping; >+ > import com.redhat.rhn.common.conf.ConfigDefaults; > import com.redhat.rhn.common.db.datasource.DataResult; > import com.redhat.rhn.common.localization.LocalizationService; >@@ -33,21 +49,6 @@ import com.redhat.rhn.manager.rhnpackage.PackageManager; > import com.redhat.rhn.manager.system.SystemManager; > import com.redhat.rhn.manager.user.UserManager; > >-import org.apache.struts.action.ActionForm; >-import org.apache.struts.action.ActionForward; >-import org.apache.struts.action.ActionMapping; >- >-import java.util.ArrayList; >-import java.util.Arrays; >-import java.util.Date; >-import java.util.HashMap; >-import java.util.Iterator; >-import java.util.List; >-import java.util.Map; >- >-import javax.servlet.http.HttpServletRequest; >-import javax.servlet.http.HttpServletResponse; >- > /** > * SystemOverviewAction > * @version $Rev$ >@@ -74,7 +75,7 @@ public class SystemOverviewAction extends RhnAction { > String description = null; > > if (s.getDescription() != null) { >- description = new String(s.getDescription()).replaceAll("\\n", "<br/>"); >+ description = StringEscapeUtils.escapeHtml(s.getDescription()).replaceAll("\\n", "<br/>"); > } > > // System Channels >diff --git a/java/code/webapp/WEB-INF/pages/admin/users/disabledlist.jsp b/java/code/webapp/WEB-INF/pages/admin/users/disabledlist.jsp >index 6500835..303fe5a 100644 >--- a/java/code/webapp/WEB-INF/pages/admin/users/disabledlist.jsp >+++ b/java/code/webapp/WEB-INF/pages/admin/users/disabledlist.jsp >@@ -48,7 +48,7 @@ > > <rl:column > headerkey="disabledlist.jsp.disabledBy"> >- <c:out value="${current.changedByFirstName} ${current.changedByLastName}" escapeXml="false"/> >+ <c:out value="${current.changedByFirstName} ${current.changedByLastName}" /> > </rl:column> > > <rl:column headerkey="disabledlist.jsp.disabledOn" >diff --git a/java/code/webapp/WEB-INF/pages/common/fragments/user/userlist_columns.jspf b/java/code/webapp/WEB-INF/pages/common/fragments/user/userlist_columns.jspf >index e5203ef..b1af17d 100644 >--- a/java/code/webapp/WEB-INF/pages/common/fragments/user/userlist_columns.jspf >+++ b/java/code/webapp/WEB-INF/pages/common/fragments/user/userlist_columns.jspf >@@ -5,7 +5,7 @@ > headerkey="realname.displayname" > sortattr="userLastName"> > >- <c:out value="${current.userLastName}, ${current.userFirstName}" escapeXml="false" /> >+ <c:out value="${current.userLastName}, ${current.userFirstName}" /> > > </rl:column> > >diff --git a/java/code/webapp/WEB-INF/pages/groups/detail.jsp b/java/code/webapp/WEB-INF/pages/groups/detail.jsp >index e994b70..2950585 100644 >--- a/java/code/webapp/WEB-INF/pages/groups/detail.jsp >+++ b/java/code/webapp/WEB-INF/pages/groups/detail.jsp >@@ -87,11 +87,11 @@ > <table class="table"> > <tr> > <th><bean:message key="systemgroup.details.name"/></th> >- <td>${name}</td> >+ <td><c:out value="${name}" /></td> > </tr> > <tr> > <th valign="top"><bean:message key="systemgroup.details.description"/></th> >- <td>${description}</td> >+ <td><c:out value="${description}" /></td> > </tr> > </table> > </div> >diff --git a/java/code/webapp/WEB-INF/pages/systems/sdc/history_event.jsp b/java/code/webapp/WEB-INF/pages/systems/sdc/history_event.jsp >index 440e7af..78650e7 100644 >--- a/java/code/webapp/WEB-INF/pages/systems/sdc/history_event.jsp >+++ b/java/code/webapp/WEB-INF/pages/systems/sdc/history_event.jsp >@@ -32,7 +32,7 @@ > <bean:message key="system.event.summaryText" arg0="${requestScope.actiontype}" arg1="${requestScope.scheduler}" /> > </c:when> > <c:otherwise> >- ${requestScope.actiontype} >+ <c:out value="${requestScope.actiontype}" /> > </c:otherwise> > </c:choose> > </div> >@@ -44,7 +44,7 @@ > <strong><bean:message key="system.event.details"/></strong> > </div> > <div class="col-sm-10"> >- ${requestScope.actionnotes} >+ <c:out value="${requestScope.actionnotes}" escapeXml="false"/><!-- already html-escaped in backend --> > </div> > </div> > </li> >diff --git a/java/code/webapp/WEB-INF/pages/systems/sdc/overview.jsp b/java/code/webapp/WEB-INF/pages/systems/sdc/overview.jsp >index 32163e8..6674201 100644 >--- a/java/code/webapp/WEB-INF/pages/systems/sdc/overview.jsp >+++ b/java/code/webapp/WEB-INF/pages/systems/sdc/overview.jsp >@@ -81,7 +81,7 @@ > <rhn:icon type="monitoring-warn" /> > </c:otherwise> > </c:choose> >- <a href="/rhn/systems/details/probes/ProbeDetails.do?sid=${system.id}&probe_id=${probe.id}">${probe.description}</a><br/> >+ <a href="/rhn/systems/details/probes/ProbeDetails.do?sid=${system.id}&probe_id=${probe.id}"><c:out value="${probe.description}"/></a><br/> > </c:forEach> > </div> > </div> >@@ -140,7 +140,7 @@ > <c:if test="${system.virtualGuest}"> > <tr> > <td><bean:message key="sdc.details.overview.virtualization"/></td> >- <td>${system.virtualInstance.type.name}</td> >+ <td><c:out value="${system.virtualInstance.type.name}"/></td> > </tr> > <tr> > <td><bean:message key="sdc.details.overview.uuid"/></td> >@@ -212,7 +212,7 @@ > <c:if test="${system.baseChannel != null}"> > <ul class="channel-list"> > <li> >- <a href="/rhn/channels/ChannelDetail.do?cid=${baseChannel['id']}">${baseChannel['name']}</a> >+ <a href="/rhn/channels/ChannelDetail.do?cid=${baseChannel['id']}"><c:out value="${baseChannel['name']}" /></a> > <c:if test="${baseChannel['is_fve'] == 'Y'}"> > (Flex) > </c:if> >@@ -220,7 +220,7 @@ > > <c:forEach items="${childChannels}" var="childChannel"> > <li class="child-channel"> >- <a href="/rhn/channels/ChannelDetail.do?cid=${childChannel['id']}">${childChannel['name']}</a> >+ <a href="/rhn/channels/ChannelDetail.do?cid=${childChannel['id']}"><c:out value="${childChannel['name']}" /></a> > <c:if test="${childChannel['is_fve'] == 'Y'}"> > (Flex) > </c:if> >@@ -326,7 +326,7 @@ > </c:when> > <c:otherwise> > <c:forEach items="${system.entitlements}" var="entitlement"> >- [${entitlement.humanReadableLabel}] >+ [<c:out value="${entitlement.humanReadableLabel}" />] > </c:forEach> > </c:otherwise> > </c:choose> >@@ -369,7 +369,7 @@ > </tr> > <tr> > <td><bean:message key="sdc.details.overview.description"/></td> >- <td>${description}</td> >+ <td><c:out value="${description}"escapeXml="false"/></td> <!-- already html-escaped in backend --> > </tr> > <tr> > <td><bean:message key="sdc.details.overview.location"/></td>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=951111">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 1156299
: 951111 |
951859