Bug 725038

Summary: Banner notifications containing invalid html can hang a page
Product: Red Hat Enterprise MRG Reporter: Trevor McKay <tmckay>
Component: cuminAssignee: Trevor McKay <tmckay>
Status: CLOSED ERRATA QA Contact: Jeff Needle <jneedle>
Severity: high Docs Contact:
Priority: medium    
Version: 2.0CC: jneedle, matt, mkudlej
Target Milestone: 2.1   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: cumin-0.1.5033-1 Doc Type: Bug Fix
Doc Text:
Previously, messages printed in yellow task status banners in the Cumin web console could potentially contain characters that break XML parsing in a browser during display. If such a message was printed, the browser displayed an error message, no Cumin content was visible, and Cumin had to be restarted to restore the user interface. With this update, code has been added to properly escape special characters in the banner messages before display, thus preventing this bug.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-23 17:27:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 743350    

Description Trevor McKay 2011-07-22 16:08:13 UTC 
Description of problem:

When an asynchronous operation such as a job submit returns an error result, cumin sometimes renders a yellow banner notification that contains characters that mess up xml parsing by the browser.  As long as the banner is active (which may be forever, since the "dismiss" button is not available) no cumin page can be viewed.  The only way out is to restart cumin-web.

Version-Release number of selected component (if applicable):

2.0

How reproducible:

100%, assuming we can craft a failed operation of the right flavor

Steps to Reproduce:
1.  stay tuned....
2.
3.
  
Actual results:

Page is messed up, cumin is inoperable.

Expected results:

Error should simply be displayed, with invalid text replaced or removed

Additional info:

Banner ads might have a timeout, I don't recall.  I think they persist until dismissed.
Comment 1 Trevor McKay 2011-07-22 19:08:37 UTC 
Easiest way to test is with code from trunk....Unfortunately the reproduction scenario cannot be run in 2.0 because the aviary functionality is not present.  But trust me, the error message below should break the browser :)

1. Set use-aviary to True in cumin.conf (should be default)
2. Set aviary-host to a machine that is not running aviary.
3. Try to submit a job, or hold/release/remove an existing job.

This will result in a connection refused message from the aviary client, which contains XML special characters.  Message should render to the screen without error, for example.

Hold: Failed (<urlopen error [Errno 111] Connection refused>)
Comment 2 Trevor McKay 2011-07-22 19:11:55 UTC 
Fixed in revision 4886.

This problem does exist in 2.0, it's just difficult to come up with a scenario that displays it.
Comment 3 Trevor McKay 2011-09-02 13:28:40 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    The messages printed in yellow task status banners in Cumin can potentially contain characters that break XML parsing in a browser during display.

Consequence
    If such a message is printed, the browser will display an error message and no Cumin content will be visible.  The simplest way to restore the UI is to restart Cumin, since no links are visible to dismiss the task banner or logout the user.

Fix
    Code has been added to properly escape special characters in the banner messages before display.

Result
    The properly escaped error messages display correctly and functionality is not interrupted.
Comment 5 Jan Sarenik 2011-10-17 12:24:26 UTC 
Unreproducible. Should be skip-errata.
Comment 6 Jan Sarenik 2011-10-17 12:25:34 UTC 
Unverifiable as well, as cumin seems to fall-back to QMF when
Aviary is not running.
Comment 7 Jan Sarenik 2011-10-17 12:31:20 UTC 
Nope, sorry. When I do not set brokers in cumin and do not
run the Aviary, I get simply

 'Submit job 'Test1': Forbidden'

Without any XML mess. Verified in cumin-0.1.5068-1.el6.noarch
Comment 9 Tomas Capek 2011-11-17 12:00:12 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,11 +1 @@
-Cause
+Previously, messages printed in yellow task status banners in the Cumin web console could potentially contain characters that break XML parsing in a browser during display. If such a message was printed, the browser displayed an error message, no Cumin content was visible, and Cumin had to be restarted to restore the user interface. With this update, code has been added to properly escape special characters in the banner messages before display, thus preventing this bug.-    The messages printed in yellow task status banners in Cumin can potentially contain characters that break XML parsing in a browser during display.
-
-Consequence
-    If such a message is printed, the browser will display an error message and no Cumin content will be visible.  The simplest way to restore the UI is to restart Cumin, since no links are visible to dismiss the task banner or logout the user.
-
-Fix
-    Code has been added to properly escape special characters in the banner messages before display.
-
-Result
-    The properly escaped error messages display correctly and functionality is not interrupted.
Comment 10 errata-xmlrpc 2012-01-23 17:27:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0045.html