Bug 951231

Summary: Systems Custom Information - Keyname and value should escape html characters < > /
Product: [Retired] Subscription Asset Manager Reporter: sthirugn <sthirugn>
Component: katelloAssignee: Adam Price <adprice>
Status: CLOSED ERRATA QA Contact: sthirugn <sthirugn>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 1.3CC: abhole, adujicek, bbuckingham, bkearney, gkhachik, mmccune, omaciel
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 997169 (view as bug list) Environment:
Last Closed: 2013-10-01 11:09:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 833466, 997169    
Attachments:
Description Flags
keyname is still not escaped none

Description sthirugn@redhat.com 2013-04-11 17:32:33 UTC 
Description of problem:
Keyname and value should not accept < > /

Version-Release number of selected component (if applicable):
* candlepin-0.8.2-1.el6.noarch
* candlepin-selinux-0.8.2-1.el6.noarch
* candlepin-tomcat6-0.8.2-1.el6.noarch
* elasticsearch-0.19.9-7.el6.noarch
* foreman-1.1stable-10.6ce2ab7.el6.noarch
* foreman-postgresql-1.1stable-10.6ce2ab7.el6.noarch
* katello-1.3.14-1.git.1139.53323b7.el6.noarch
* katello-all-1.3.14-1.git.1139.53323b7.el6.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.3.0-1.git.2847.9dfcc69.el6.noarch
* katello-cli-1.3.5-1.git.202.7f13583.el6.noarch
* katello-cli-common-1.3.5-1.git.202.7f13583.el6.noarch
* katello-common-1.3.14-1.git.1139.53323b7.el6.noarch
* katello-configure-1.3.6-1.git.1155.2a1db01.el6.noarch
* katello-glue-candlepin-1.3.14-1.git.1139.53323b7.el6.noarch
* katello-glue-elasticsearch-1.3.14-1.git.1139.53323b7.el6.noarch
* katello-glue-foreman-1.3.14-1.git.1139.53323b7.el6.noarch
* katello-glue-pulp-1.3.14-1.git.1139.53323b7.el6.noarch
* katello-qpid-broker-key-pair-1.0-1.noarch
* katello-qpid-client-key-pair-1.0-1.noarch
* katello-repos-1.3.2-1.git.2025.9dfcc69.el6.noarch
* katello-selinux-1.3.1-1.git.1803.9dfcc69.el6.noarch
* pulp-rpm-plugins-2.1.0-0.noarch
* pulp-selinux-2.1.0-0.n

How reproducible:
Always

Steps to Reproduce:
1. Register a client
2. Navigate to UI -> Systems page -> Select a registered system -> Details Tab -> Custom Information
3. Enter keyname <blink>thisismykey</blink> and click add
  
Actual results:
The keyname is added successfully
Note: The same is observed for the value field as well.

Expected results:
keyname/value should not accept html characters < > /

Additional info:
1. The same issue is observed with the value field also
2. This should be fixed in CLI also
3. Also refer a related BZ and the proposed solution here: https://bugzilla.redhat.com/show_bug.cgi?id=909475
Comment 1 sthirugn@redhat.com 2013-05-21 17:54:23 UTC 
Also once the keyname is created with html characters (<blink>thisismykey</blink>) I am not able to remove the keyname.  Clicking on Remove button gives an error "Resource not found on the server"
Comment 2 sthirugn@redhat.com 2013-05-21 19:10:33 UTC 
Along with https://bugzilla.redhat.com/show_bug.cgi?id=951231#c1 above the following scenarios are also affected:
1. Administer -> Organizations -> Select an ORG -> Default Custom Info -> System Default Info
2. Administer -> Organizations -> Select an ORG -> Default Custom Info -> Distributor Default Info
3. Content -> Subscriptions -> Subscription Manager Applications -> Select a Distributor -> Details -> Custom Information

Note to QE: Please these scenarios also along with Bug verification
Comment 5 Adam Price 2013-06-11 18:00:11 UTC 
these characters should be html-escaped, not necessarily prevented from entering the DB.
Comment 6 Adam Price 2013-06-11 18:01:15 UTC 
though i need to make sure they display correctly
Comment 12 Mike McCune 2013-06-19 14:31:40 UTC 
somehow this got moved to 6.0.3, moving back to 6.0.1
Comment 13 Adam Price 2013-06-19 19:27:28 UTC 
https://github.com/Katello/katello/pull/2527
Comment 15 Brad Buckingham 2013-06-21 12:59:52 UTC 
Mass move to ON_QA
Comment 16 Garik Khachikyan 2013-06-21 15:00:32 UTC 
# VERIFIED

Now it designed in a was to escape the html once.

got in IRC from adprice:
---
it escapes html characters. they will display but not break things
---

So seems we now look more safe.

Please feel free to reopen if anyone thinks we not (so).

version checked:
===
candlepin-0.8.9-1.el6_4.noarch
candlepin-cert-consumer-cfseserver5.usersys.redhat.com-1.0-1.noarch
candlepin-scl-1-5.el6_4.noarch
candlepin-scl-quartz-2.1.5-5.el6_4.noarch
candlepin-scl-rhino-1.7R3-1.el6_4.noarch
candlepin-scl-runtime-1-5.el6_4.noarch
candlepin-selinux-0.8.9-1.el6_4.noarch
candlepin-tomcat6-0.8.9-1.el6_4.noarch
elasticsearch-0.19.9-8.el6sat.noarch
katello-1.4.2-17.el6sat.noarch
katello-agent-1.4.2-5.el6sat.noarch
katello-all-1.4.2-17.el6sat.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-certs-tools-1.4.2-2.el6sat.noarch
katello-cli-1.4.2-8.el6sat.noarch
katello-cli-common-1.4.2-8.el6sat.noarch
katello-common-1.4.2-17.el6sat.noarch
katello-configure-1.4.3-16.el6sat.noarch
katello-configure-foreman-1.4.3-16.el6sat.noarch
katello-foreman-all-1.4.2-17.el6sat.noarch
katello-glue-candlepin-1.4.2-17.el6sat.noarch
katello-glue-elasticsearch-1.4.2-17.el6sat.noarch
katello-glue-pulp-1.4.2-17.el6sat.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-selinux-1.4.3-3.el6sat.noarch
m2crypto-0.21.1.pulp-8.el6sat.x86_64
mod_wsgi-3.4-1.pulp.el6sat.x86_64
pulp-rpm-handlers-2.1.2-1.el6sat.noarch
pulp-rpm-plugins-2.1.2-1.el6sat.noarch
pulp-selinux-2.1.2-1.el6sat.noarch
pulp-server-2.1.2-1.el6sat.noarch
python-isodate-0.5.0-1.pulp.el6sat.noarch
python-oauth2-1.5.170-3.pulp.el6sat.noarch
python-pulp-agent-lib-2.1.2-1.el6sat.noarch
python-pulp-common-2.1.2-1.el6sat.noarch
python-pulp-rpm-common-2.1.2-1.el6sat.noarch
python-qpid-0.18-5.el6_4.noarch
python-rhsm-1.8.0-1.pulp.el6sat.x86_64
qpid-cpp-client-0.14-22.el6_3.x86_64
qpid-cpp-client-ssl-0.14-22.el6_3.x86_64
qpid-cpp-server-0.14-22.el6_3.x86_64
qpid-cpp-server-ssl-0.14-22.el6_3.x86_64
ruby193-rubygem-foreman-katello-engine-0.0.8-6.el6sat.noarch
ruby193-rubygem-katello-foreman-engine-0.0.3-6.el6sat.noarch
ruby193-rubygem-katello_api-0.0.3-2.el6_4.noarch
ruby193-rubygem-ldap_fluff-0.2.2-1.el6sat.noarch
signo-katello-0.0.19-1.el6sat.noarch
Comment 17 Ales Dujicek 2013-06-27 06:57:09 UTC 
that problem is still there in system and distributor custom information keynames; values looks ok

how to reproduce:
create system (or distributor) custom information with keyname "<h1>keyname</h1>"

after reloading page it looks ok, but there is still problem with "Resource not found on the server" when deleting or updating value

versions:
katello-glue-elasticsearch-1.4.2-18.el6sat.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-agent-1.4.3-1.git.1.24fe511.el6.noarch
signo-katello-0.0.19-1.el6sat.noarch
katello-configure-foreman-1.4.3-16.el6sat.noarch
katello-certs-tools-1.4.2-2.el6sat.noarch
katello-cli-1.4.2-8.el6sat.noarch
ruby193-rubygem-foreman-katello-engine-0.0.8-6.el6sat.noarch
katello-common-1.4.2-18.el6sat.noarch
katello-1.4.2-18.el6sat.noarch
katello-foreman-all-1.4.2-18.el6sat.noarch
katello-qpid-client-key-pair-1.0-1.noarch
ruby193-rubygem-katello_api-0.0.3-2.el6_4.noarch
katello-configure-1.4.3-16.el6sat.noarch
katello-glue-candlepin-1.4.2-18.el6sat.noarch
katello-all-1.4.2-18.el6sat.noarch
ruby193-rubygem-katello-foreman-engine-0.0.3-6.el6sat.noarch
katello-cli-common-1.4.2-8.el6sat.noarch
katello-selinux-1.4.3-3.el6sat.noarch
katello-glue-pulp-1.4.2-18.el6sat.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
Comment 18 Ales Dujicek 2013-06-27 06:58:11 UTC 
Created attachment 765962 [details]
keyname is still not escaped
Comment 19 Adam Price 2013-07-02 13:59:46 UTC 
hopefully, second time's a charm!

https://github.com/Katello/katello/pull/2571
Comment 21 Apurva Bhole 2013-08-08 21:13:40 UTC 
The issue exits in WebUI as well as CLI. 

# rpm -qa | grep katello
katello-glue-elasticsearch-1.4.3-6.el6sam_splice.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-cli-1.4.3-5.el6sat.noarch
katello-cli-common-1.4.3-5.el6sat.noarch
katello-configure-1.4.4-2.el6sat.noarch
signo-katello-0.0.10-2.el6sat.noarch
katello-selinux-1.4.4-2.el6sat.noarch
katello-certs-tools-1.4.2-2.el6sat.noarch
katello-common-1.4.3-6.el6sam_splice.noarch
katello-headpin-1.4.3-6.el6sam_splice.noarch
katello-headpin-all-1.4.3-6.el6sam_splice.noarch
katello-glue-candlepin-1.4.3-6.el6sam_splice.noarch
Comment 22 Bryan Kearney 2013-08-14 19:59:28 UTC 
These commits:

0d098ca5e97bd9307ea609d2ab81b4a8ea25cb8e
6011bedaa3685867f612226d632cf83063ab22ba

Are in the branch, so moving this to ON_QA.
Comment 24 sthirugn@redhat.com 2013-08-16 19:44:42 UTC 
Fails for the same reason as mentioned in Comment 17

Version tested:
* candlepin-0.8.20-1.el6sam.noarch
* candlepin-cert-consumer-cloud-qe-21.idm.lab.bos.redhat.com-1.0-1.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.8.20-1.el6sam.noarch
* candlepin-tomcat6-0.8.20-1.el6sam.noarch
* elasticsearch-0.19.9-8.el6sat.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.4.2-2.el6sat.noarch
* katello-cli-1.4.3-7.el6sat.noarch
* katello-cli-common-1.4.3-7.el6sat.noarch
* katello-common-1.4.3-8.el6sam_splice.noarch
* katello-configure-1.4.4-2.el6sat.noarch
* katello-glue-candlepin-1.4.3-8.el6sam_splice.noarch
* katello-glue-elasticsearch-1.4.3-8.el6sam_splice.noarch
Comment 25 Adam Price 2013-08-19 18:41:37 UTC 
another attempt...

https://github.com/Katello/katello/pull/2781
Comment 27 sthirugn@redhat.com 2013-08-26 17:45:10 UTC 
VERIFIED the systems custom info and distributor custom info deletion in SAM UI.  
Note:
1. But still not able to delete the default system/distributor custom info under Organizations which is being tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1001199.
2. An invalid error message shown to the user when deleting distributor custom info which is being tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1001202
3. User notifications not escaping the html characters which is being tracked under https://bugzilla.redhat.com/show_bug.cgi?id=1001173

Version Tested:
* candlepin-0.8.21-1.el6sam.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.8.21-1.el6sam.noarch
* candlepin-tomcat6-0.8.21-1.el6sam.noarch
* elasticsearch-0.19.9-8.el6sat.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.4.2-2.el6sat.noarch
* katello-cli-1.4.3-8.el6sat.noarch
* katello-cli-common-1.4.3-8.el6sat.noarch
* katello-common-1.4.3-9.el6sam_splice.noarch
* katello-configure-1.4.4-3.el6sat.noarch
* katello-glue-candlepin-1.4.3-9.el6sam_splice.noarch
* katello-glue-elasticsearch-1.4.3-9.el6sam_splice.noarch
* katello-headpin-1.4.3-9.el6sam_splice.noarch
* katello-headpin-all-1.4.3-9.el6sam_splice.noarch
* katello-selinux-1.4.4-2.el6sat.noarch
* thumbslug-0.0.32-1.el6sam.noarch
* thumbslug-selinux-0.0.32-1.el6sam.noarch
Comment 29 errata-xmlrpc 2013-10-01 11:09:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1390.html