Bug 462411
| Summary: | certificate request wizard returns an error | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Directory Server | Reporter: | Ulf Weltman <ulf.weltman> | ||||||
| Component: | UI - Configuration | Assignee: | Rich Megginson <rmeggins> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Chandrasekar Kannan <ckannan> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 7.1 | CC: | benl, jfenal, jgalipea, msauton, nkinder, tao | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Other | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | 8.1 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2009-04-29 23:06:27 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 249650, 493682 | ||||||||
| Attachments: |
|
||||||||
|
Description
Ulf Weltman
2008-09-16 00:37:11 UTC
Created attachment 325446 [details]
diffs - adminutil
Created attachment 325447 [details]
diffs - adminserver
Public Description: With DS 1.1 (using adminutil 1.1.7) the CGI that processes certificate requests broke, at the end of the certificate request wizard it says "Unable to convert DN to certificate name." Reviewed by: nkinder (Thanks!) Fix Description: This was broken as part of the fix for the XSS issues. To fix that, in order to make sure we never displayed any string that contained unescaped HTML entities, we just go ahead and escape everything when we read the values from the CGI GET or POST arguments. For this particular bug, this meant the cert CGI was getting a DN like this: CN="ldap.example.com" instead of CN="ldap.example.com". The solution is to add some functions to adminutil (stolen from dsgw) that can be used to escape/unescape HTML entities. We have to be careful never to display unescaped strings - in this particular case, the DN is never printed. Platforms tested: RHEL5 Flag Day: yes - will require new adminutil, adminserver Doc impact: no RCS file: /cvs/dirsec/adminutil/include/libadminutil/admutil.h,v +++ admutil.h 3 Dec 2008 17:31:26 -0000 1.10 RCS file: /cvs/dirsec/adminutil/lib/libadminutil/form_post.c,v +++ form_post.c 3 Dec 2008 17:31:26 -0000 1.11 RCS file: /cvs/dirsec/adminserver/admserv/cgi-src40/security.c,v +++ security.c 3 Dec 2008 17:32:17 -0000 1.16 With DS 8.1 am can successfully complete a certificate request- Is this all that is needed to verify this bug? yes fix verified RHEL 5 DS 8.1 *** Bug 468123 has been marked as a duplicate of this bug. *** An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html |