Bug 1475303
Summary: | Text Injection possible | |||
---|---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Vatsal Parekh <vparekh> | |
Component: | UI - OPS | Assignee: | Martin Povolny <mpovolny> | |
Status: | CLOSED ERRATA | QA Contact: | Yadnyawalk Tale <ytale> | |
Severity: | urgent | Docs Contact: | ||
Priority: | low | |||
Version: | 5.8.0 | CC: | dajohnso, hkataria, jhardy, jkrocil, khala, mpovolny, obarenbo, simaishi, vparekh | |
Target Milestone: | GA | |||
Target Release: | 5.10.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ui:flash_msg | |||
Fixed In Version: | 5.10.0.0 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1515355 1520669 (view as bug list) | Environment: | ||
Last Closed: | 2019-02-07 23:02:36 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | Bug | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | CFME Core | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1515355, 1520669 |
Comment 2
Martin Povolny
2017-09-25 17:13:07 UTC
> Perform some action and flash message is shown
Sorry, but my crystal ball is broken this week
I did perform some action but saw no flash msg.
I believe there's an issue as you describe it SOMEWHERE but...
Actually I did find an example in the DUP of this issue: > Description of problem: > After creating a VM creation request, the flash message shown is sent as a URL > parameter, and can be easily edited, and be misused > Version-Release number of selected component (if applicable): > Version master.20170830023715_aa4dab9 > How reproducible: > 100% > Steps to Reproduce: > 1.Submit a request for VM creation > 2.See the flash message > Actual results: > Flash message in the URL url parameter If would be helpful if you could help me get all the places that you have found into one BZ but with a description that I would be able to reproduce (as the one above). Thx! fixing one such place: https://github.com/ManageIQ/manageiq-ui-classic/pull/2408 One more such place: https://github.com/ManageIQ/manageiq-ui-classic/pull/2412 All places are see are using a Rails function for the redirect, no javascript injection is possible, I don't consider this a security issue. We can fix all the places as a "hardening" task but afaik this should not be a priority. The two fixes in this PR can be considered a pattern to fix all the other places. (In reply to Martin Povolny from comment #4) > Actually I did find an example in the DUP of this issue: > > > Description of problem: > > After creating a VM creation request, the flash message shown is sent as a URL > > parameter, and can be easily edited, and be misused > > > Version-Release number of selected component (if applicable): > > Version master.20170830023715_aa4dab9 > > > How reproducible: > > 100% > > > Steps to Reproduce: > > 1.Submit a request for VM creation > > 2.See the flash message > > > Actual results: > > Flash message in the URL url parameter > > If would be helpful if you could help me get all the places that you have > found into one BZ but with a description that I would be able to reproduce > (as the one above). > > Thx! To list such places, Places where we provision/order VMs, delete/modify them, in general I see almost all the flash messages passed in as a url parameter. > In general I see almost all the flash messages passed in as a url parameter.
I don't.
I'm also not seeing them now, used to see them in previous builds. Ok, moving this to POST. Some places where fixed. Once we have more places found we can create new BZs. The pattern for the fix is pretty straightforward once you see the place. As I previously declared: If you show me such places, I can get it fixed. Fixed! Flash messages are now gone from several main feature pages (tested for GET URL parameters). I do understand this is something we can not fully mitigate and there are several internal parts of CFME which are still uses flash via GET. As of now it is fixed in 5.10.0.17.20180927011235_1b5cf54. Well done! Thank you! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:0212 |