Bug 1978345

Summary: End Entity's List Certificates Page Back/Forward Buttons are Broken [rhel-7.9.z]
Product: Red Hat Enterprise Linux 7 Reporter: Chris Zinda <czinda>
Component: pki-coreAssignee: Chris Kelley <ckelley>
Status: CLOSED ERRATA QA Contact: PKI QE <bugzilla-pkiqe>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.9CC: aakkiang, dpunia, jreznik, mharmsen, msauton, pcech
Target Milestone: rcKeywords: Triaged, ZStream
Target Release: 7.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.5.18-18.el7_9, pki-core-10.5.18-18.el7pki Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-23 17:16:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
List_Certificates_Not_working.png none

Description Chris Zinda 2021-07-01 15:45:52 UTC 
Created attachment 1796848 [details]
List_Certificates_Not_working.png

Description of problem:
When you navigate to the List Certificates page and try to move forward/backwards the behavior is strange.  First, there are two of the buttons. Second, if you say list only 1 record and go to 0x4. Then choose the single back button it takes you directly to 0x1 and you cannot move to 0x2.

Version-Release number of selected component (if applicable):
pki-ca-10.5.18-12+

How reproducible:
Very.

Steps to Reproduce:
Goto End Entity -> retrieval tab -> list certificate
Either put in a known serial or leave blank,  Adjust the Range or leave at default.  Click Find.  I put in 0x4 and return 1 record for testing. 


Actual results:
See picture for how it looks. (List Certificates not Working).

Expected results:
It to work like every other page.  The Agent Pages version of this works just fine.

Additional info:
This appears to be a regression bug related to our fix for CVE-2020-25715.  Below is the git commit.

---
from pki-core-rhel-7.9-rhcs-97-bu-4.patch

From 7732ccb75f277338e728b963d06e92ca7c37414b Mon Sep 17 00:00:00 2001
From: Matthew Harmsen <mharmsen>
Date: Thu, 11 Feb 2021 16:48:18 -0700
Subject: [PATCH 17/17] Resolve XSS in ca queryCert pagination

Several values in ListCerts were reflected back to the caller, making a
reflected XSS attack possible. These values were sanitized and the
front-end template fixed to prevent this type of attack in general.

Resolves: CVE-2020-25715
Signed-off-by: Alexander Scheel <ascheel>
---
Comment 18 errata-xmlrpc 2021-11-23 17:16:37 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4791