Bug 1215030 (CVE-2015-3162)
| Summary: | HTML tags in recipe set comments are not escaped in the "edit comment" dialog | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Retired] Beaker | Reporter: | Dan Callaghan <dcallagh> | ||||||
| Component: | general | Assignee: | Dan Callaghan <dcallagh> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | tools-bugs <tools-bugs> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 19 | CC: | aigao, asaha, dcallagh, dowang, drewbinskyn, ebaak, huiwang, ineilsen, jskeoch, junichi.nomura, kueda, lzhuang, mjia, naoya.horiguchi, pen-test, rpotts, security-response-team, tatsu-ab1, tflink | ||||||
| Target Milestone: | 20.1 | Keywords: | Patch, Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-05-08 04:06:03 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 1215894 | ||||||||
| Attachments: |
|
||||||||
Created attachment 1020005 [details]
proposed patch
Verified this issue.
The result is FAILED.
Version: Beaker 20.1.git.5.24dc482
Steps to Reproduce:
1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment" and edit the comment to be: <script>alert('xss')</script>
Result:
The script still be executed.
Ah yes, there is another one I missed... full steps to reproduce are:
1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment"
4. Click "edit" and change the comment to: <script>alert('xss')</script>, then click "save"
5. Refresh the job page
6. Click "comment"
7. Click "edit"
Script is executed.
Created attachment 1021565 [details]
proposed patch v2
This patch addresses the other missed escaping, in the edit comment dialog. (Sigh, that code makes me very sad.)
Verified this issue. The result is PASS. Version: Beaker 20.1.git.5.fd65027 Beaker 20.1 has been released. This comment was flagged a spam, view the edit history to see the original text if required. This comment was flagged a spam, view the edit history to see the original text if required. My suggestion is that you should reset or review your comment settings https://ovo-game.com This comment was flagged a spam, view the edit history to see the original text if required. This comment was flagged a spam, view the edit history to see the original text if required. |
Description of problem: The "edit comment" dialog on the job page does not escape HTML characters in the comment correctly after fetching it. Version-Release number of selected component (if applicable): probably all Beaker versions How reproducible: easily Steps to Reproduce: 1. Submit a job, then cancel it 2. On the job page, ack or nack your job 3. Click "comment" and edit the comment to be: <script>alert('xss')</script> 4. Refresh the job page, and click "comment" again Actual results: <script> is executed Expected results: HTML characters should be escaped in the comment value