Bug 1215030 (CVE-2015-3162)

Summary: HTML tags in recipe set comments are not escaped in the "edit comment" dialog
Product: [Retired] Beaker Reporter: Dan Callaghan <dcallagh>
Component: generalAssignee: Dan Callaghan <dcallagh>
Status: CLOSED CURRENTRELEASE QA Contact: tools-bugs <tools-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: aigao, asaha, dcallagh, dowang, drewbinskyn, ebaak, huiwang, ineilsen, jskeoch, junichi.nomura, kueda, lzhuang, mjia, naoya.horiguchi, pen-test, rpotts, security-response-team, tatsu-ab1, tflink
Target Milestone: 20.1Keywords: Patch, Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-08 04:06:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1215894    
Attachments:
Description Flags
proposed patch
none
proposed patch v2 none

Description Dan Callaghan 2015-04-24 07:23:48 UTC
Description of problem:
The "edit comment" dialog on the job page does not escape HTML characters in the comment correctly after fetching it.

Version-Release number of selected component (if applicable):
probably all Beaker versions

How reproducible:
easily

Steps to Reproduce:
1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment" and edit the comment to be: <script>alert('xss')</script>
4. Refresh the job page, and click "comment" again

Actual results:
<script> is executed

Expected results:
HTML characters should be escaped in the comment value

Comment 1 Dan Callaghan 2015-04-29 07:22:36 UTC
Created attachment 1020005 [details]
proposed patch

Comment 4 Hui Wang 2015-05-04 07:16:40 UTC
Verified this issue.
The result is FAILED.
Version: Beaker 20.1.git.5.24dc482

Steps to Reproduce:
1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment" and edit the comment to be: <script>alert('xss')</script>

Result:
The script still be executed.

Comment 5 Dan Callaghan 2015-05-04 07:21:37 UTC
Ah yes, there is another one I missed... full steps to reproduce are:

1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment"
4. Click "edit" and change the comment to: <script>alert('xss')</script>, then click "save"
5. Refresh the job page
6. Click "comment"
7. Click "edit"

Script is executed.

Comment 6 Dan Callaghan 2015-05-04 07:51:17 UTC
Created attachment 1021565 [details]
proposed patch v2

This patch addresses the other missed escaping, in the edit comment dialog. (Sigh, that code makes me very sad.)

Comment 10 Hui Wang 2015-05-05 02:31:47 UTC
Verified this issue.
The result is PASS.
Version: Beaker 20.1.git.5.fd65027

Comment 11 Dan Callaghan 2015-05-08 04:06:03 UTC
Beaker 20.1 has been released.

Comment 12 Timothy Sykes 2023-03-16 07:11:56 UTC Comment hidden (spam)
Comment 13 Timothy Sykes 2023-03-16 07:15:08 UTC Comment hidden (spam)
Comment 14 Drew Binsky 2023-03-17 02:20:18 UTC Comment hidden (spam)
Comment 15 emmausa 2023-06-27 07:24:02 UTC Comment hidden (spam)
Comment 16 Timothy Ferriss 2023-07-06 08:22:18 UTC Comment hidden (spam)