Bug 1023093
| Summary: | User can break Domains UI by entering a nasty string for 'name' | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Corey Welton <cwelton> |
| Component: | Provisioning | Assignee: | Dmitri Dolguikh <dmitri> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Corey Welton <cwelton> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0.2 | CC: | dcleal, mmccune, ohadlevy |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://projects.theforeman.org/issues/3516 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-07-02 14:04:47 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Satellite-6.0.2-RHEL-6-20131023.1 A side note: The resulting error page also references tracking issues in foreman bug tracker. We fixed this elsewhere but apparently this is a new place where we need to point to BZ. I'd prefer we fix this at the same time since it's hard to try and verify such things when the underlying breakage is fixed. I think the actual string used was 你好/`cat /etc/passwd` bad copy and paste from screen in the initial report. from hammer -u admin -p admin domain list 3 | 你好/`cat /etc/passwd/` So there's your proper string It does appear we can remove it via CLI hammer -u admin -p admin domain delete --id 3 So as we have a workaround, I will remove blocker. A basic "a/b" causes it to fail too, much the same reason behind bug #1023062 as we're not sanitising names sufficiently in URLs. Merged as 39558b7200a7e1d4d5976ee62e25491d9016e56f in develop. Verified in Satellite/Satellite-6.0.3-RHEL-6-20140430.4 This was delivered with 6.0.3, which is the Satellite 6 Beta. |
Description of problem: When users enters an ugly string for Domain, it breaks the UI - Domains UI can subsequently not be accessed. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Navigate to Domains in foreman and try to create a new domain. use the following string 你好/`cat /etc/passwd/ 2. Note error 3. Attempt to navigate back to main domains UI at all, e.g., server.example.com/foreman/domains Actual results: Initial and subsequent errors "Oops, we're sorry but something went wrong x No route matches {:action=>"edit", :controller=>"domains", :id=>"你好/`cat /etc/passwd/`"} If you feel this is an error with Foreman itself, please open a new issue with Foreman ticketing system, You would probably need to attach the Full trace and relevant log entries. Back" User cannot access page Expected results: Field validation Additional info: Not sure if a workaround is to use cli to try and remove any gunk. Will try and report back.