1016514 – Nitrate is vulnerable to XSS when w3m is not installed

Bug 1016514 - Nitrate is vulnerable to XSS when w3m is not installed

Summary: Nitrate is vulnerable to XSS when w3m is not installed

Keywords:
Status:	NEW
Alias:	None
Product:	TCMS
Classification:	Other
Component:	Application
Sub Component:
Version:	Devel
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Yuguang Wang
QA Contact:	Nobody
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-08 10:04 UTC by Lukas Vacek
Modified:	2022-03-14 03:26 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Lukas Vacek 2013-10-08 10:04:01 UTC

Input from fields with TinyMCE widget (TestPlan: Summary, TestCase: Breakdown, Setup, Action, Expected Results) is not sanitized and is rendered as is to the clients.

The offending function is:

def html2text(value):
    """
    Pipes given HTML string into the text browser W3M, which renders it.
    Rendered text is grabbed from STDOUT and returned.
    """
    try:
        cmd = "w3m -dump -T text/html -O ascii"
        proc = Popen(cmd, shell = True, stdin = PIPE, stdout = PIPE)
        return proc.communicate(str(value))[0]
    except OSError:
        # something bad happened, so just return the input
        return value


An attacker can add an arbitrary javascript to, for example, a TestPlan Summary and the javascript is then executed for everyone viewing the test plan.

Note You need to log in before you can comment on or make changes to this bug.