This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1023093 - User can break Domains UI by entering a nasty string for 'name'
User can break Domains UI by entering a nasty string for 'name'
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Provisioning (Show other bugs)
6.0.2
Unspecified Unspecified
unspecified Severity high (vote)
: Unspecified
: --
Assigned To: Dmitri Dolguikh
Corey Welton
http://projects.theforeman.org/issues...
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-24 11:19 EDT by Corey Welton
Modified: 2016-04-22 12:14 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-07-02 10:04:47 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 3516 None None None 2016-04-22 12:14 EDT

  None (edit)
Description Corey Welton 2013-10-24 11:19:28 EDT
Description of problem:

When users enters an ugly string for Domain, it breaks the UI - Domains UI can subsequently not be accessed.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Navigate to Domains in foreman and try to create a new domain.  use the following string

你好/`cat /etc/passwd/

2.  Note error
3.  Attempt to navigate back to main domains UI at all, e.g., server.example.com/foreman/domains

Actual results:

Initial and subsequent errors

"Oops, we're sorry but something went wrong
 
x No route matches {:action=>"edit", :controller=>"domains", :id=>"你好/`cat /etc/passwd/`"}
If you feel this is an error with Foreman itself, please open a new issue with Foreman ticketing system, You would probably need to attach the Full trace and relevant log entries.

Back"

User cannot access page

Expected results:

Field validation

Additional info:

Not sure if a workaround is to use cli to try and remove any gunk.  Will try and report back.
Comment 1 Corey Welton 2013-10-24 11:23:17 EDT
Satellite-6.0.2-RHEL-6-20131023.1
Comment 2 Corey Welton 2013-10-24 11:24:40 EDT
A side note:  The resulting error page also references tracking issues in foreman bug tracker. We fixed this elsewhere but apparently this is a new place where we need to point to BZ.  I'd prefer we fix this at the same time since it's hard to try and verify such things when the underlying breakage is fixed.
Comment 3 Corey Welton 2013-10-24 11:25:38 EDT
I think the actual string used was 

你好/`cat /etc/passwd`


bad copy and paste from screen in the initial report.
Comment 4 Corey Welton 2013-10-24 11:28:26 EDT
from hammer -u admin -p admin domain list


3  | 你好/`cat /etc/passwd/`

So there's your proper string

It does appear we can remove it via CLI

hammer -u admin -p admin domain delete --id 3

So as we have a workaround, I will remove blocker.
Comment 6 Dominic Cleal 2013-10-25 09:41:15 EDT
A basic "a/b" causes it to fail too, much the same reason behind bug #1023062 as we're not sanitising names sufficiently in URLs.
Comment 7 Dominic Cleal 2013-11-13 07:02:13 EST
Merged as 39558b7200a7e1d4d5976ee62e25491d9016e56f in develop.
Comment 11 Corey Welton 2014-05-05 15:07:44 EDT
Verified in Satellite/Satellite-6.0.3-RHEL-6-20140430.4
Comment 12 Bryan Kearney 2014-07-02 10:04:47 EDT
This was delivered with 6.0.3, which is the Satellite 6 Beta.

Note You need to log in before you can comment on or make changes to this bug.