Bug 1016514 - Nitrate is vulnerable to XSS when w3m is not installed
Summary: Nitrate is vulnerable to XSS when w3m is not installed
Keywords:
Status: NEW
Alias: None
Product: TCMS
Classification: Other
Component: Application
Version: Devel
Hardware: All
OS: All
unspecified
high
Target Milestone: ---
: ---
Assignee: Yuguang Wang
QA Contact: Nobody
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-08 10:04 UTC by Lukas Vacek
Modified: 2022-03-14 03:26 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Lukas Vacek 2013-10-08 10:04:01 UTC
Input from fields with TinyMCE widget (TestPlan: Summary, TestCase: Breakdown, Setup, Action, Expected Results) is not sanitized and is rendered as is to the clients.

The offending function is:

def html2text(value):
    """
    Pipes given HTML string into the text browser W3M, which renders it.
    Rendered text is grabbed from STDOUT and returned.
    """
    try:
        cmd = "w3m -dump -T text/html -O ascii"
        proc = Popen(cmd, shell = True, stdin = PIPE, stdout = PIPE)
        return proc.communicate(str(value))[0]
    except OSError:
        # something bad happened, so just return the input
        return value


An attacker can add an arbitrary javascript to, for example, a TestPlan Summary and the javascript is then executed for everyone viewing the test plan.


Note You need to log in before you can comment on or make changes to this bug.