| Summary: | Error message while testing Cross-Site scripting nonce parameter. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Amol K <akahat> |
| Component: | pki-core | Assignee: | Christina Fu <cfu> |
| Status: | CLOSED UPSTREAM | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.3 | CC: | ascheel, mharmsen, nkinder |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-02-07 23:13:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Amol K
2016-03-14 08:23:42 UTC
(In reply to Amol K from comment #0) > Description of problem: > > After execution of following URL got unrecoverable error message. > > > Version-Release number of selected component (if applicable): > 10.2.6-10.el7pki > > How reproducible: > Always > > Steps to Reproduce: > 1. Authenticate with a CA agent certificate. > 2. The following url is being used to test Cross-Site Scripting nonce > parameter. > 3. In the browser paste the following url with your CA's host and agent port. > > https://hostname:<secure-port>/ca/agent/ca/ > profileProcess?requestId=%20%2b%20requestId%20%2b%20&' + > recordSet[i].defListSet[j].defId + > '='%20%2b%20escapeValue(recordSet%5bi%5d.defListSet%5bj%5d.defVal)%20%2b% > 20'&' + recordSet[i].defListSet[j].defId + '='%20%2b%20recordSet%5bi% > 5d.defListSet%5bj%5d.defVal%20%2b%20'&' + recordSet[i].defListSet[j].defId + > '='%20%2b%20recordSet%5bi%5d.defListSet%5bj%5d.defVal%20%2b%20'&' + > recordSet[i].defListSet[j].defId + '='%20%2b%20recordSet%5bi%5d.defListSet% > 5bj%5d.defVal%20%2b%20'&' + recordSet[i].defListSet[j].defId + '=%20%2b%20c% > 5bk%5d%20%2b%20&' + recordSet[i].defListSet[j].defId + > '=false&requestNotes='%20%2b%20requestNotes%20%2b%20'&op=unassign&nonce= > %5c%22%22%3c%73%43%72%49%70%54%3e%61%6c%65%72%74%28%35%31%32%31%33%29%3c%2f% > 73%43%72%49%70%54%3e&submit=submit > > > Actual results: > > > The Certificate System has encountered an unrecoverable error. > > Error Message: > java.lang.NumberFormatException: Illegal embedded sign character > > Please contact your local administrator for assistance. > > > Expected results: > > What was expected? Basically, this appears to work as expected as the cross-site attack appeared to be thwarted. > Additional info: Expected Outcome is: Request ------------- Request Information =============================================== | Error Code: | 1 | =============================================== | Error Reason: | Operation Not Found | =============================================== But we got: java.lang.NumberFormatException: Illegal embedded sign character Upstream ticket: https://fedorahosted.org/pki/ticket/2315 Per Bug Triage of 05/03/2016: RHEL 7.4 NOTE: Discussed and confirmed with aakkiang over IRC. Per 10.5.x/10.6 Triage: 10.6 cfu: fix looks relatively simple Moved to RHEL 7.7. |