Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1023093 - User can break Domains UI by entering a nasty string for 'name'
Summary: User can break Domains UI by entering a nasty string for 'name'
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Provisioning
Version: 6.0.2
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: Dmitri Dolguikh
QA Contact: Corey Welton
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-24 15:19 UTC by Corey Welton
Modified: 2019-09-25 20:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-02 14:04:47 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 3516 0 None None None 2016-04-22 16:14:32 UTC
Red Hat Bugzilla 1023062 0 unspecified CLOSED Architectures etc: resources created/modified should not use multibyte names in URLs 2021-02-22 00:41:40 UTC

Internal Links: 1023062

Description Corey Welton 2013-10-24 15:19:28 UTC
Description of problem:

When users enters an ugly string for Domain, it breaks the UI - Domains UI can subsequently not be accessed.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.  Navigate to Domains in foreman and try to create a new domain.  use the following string

你好/`cat /etc/passwd/

2.  Note error
3.  Attempt to navigate back to main domains UI at all, e.g., server.example.com/foreman/domains

Actual results:

Initial and subsequent errors

"Oops, we're sorry but something went wrong
 
x No route matches {:action=>"edit", :controller=>"domains", :id=>"你好/`cat /etc/passwd/`"}
If you feel this is an error with Foreman itself, please open a new issue with Foreman ticketing system, You would probably need to attach the Full trace and relevant log entries.

Back"

User cannot access page

Expected results:

Field validation

Additional info:

Not sure if a workaround is to use cli to try and remove any gunk.  Will try and report back.

Comment 1 Corey Welton 2013-10-24 15:23:17 UTC
Satellite-6.0.2-RHEL-6-20131023.1

Comment 2 Corey Welton 2013-10-24 15:24:40 UTC
A side note:  The resulting error page also references tracking issues in foreman bug tracker. We fixed this elsewhere but apparently this is a new place where we need to point to BZ.  I'd prefer we fix this at the same time since it's hard to try and verify such things when the underlying breakage is fixed.

Comment 3 Corey Welton 2013-10-24 15:25:38 UTC
I think the actual string used was 

你好/`cat /etc/passwd`


bad copy and paste from screen in the initial report.

Comment 4 Corey Welton 2013-10-24 15:28:26 UTC
from hammer -u admin -p admin domain list


3  | 你好/`cat /etc/passwd/`

So there's your proper string

It does appear we can remove it via CLI

hammer -u admin -p admin domain delete --id 3

So as we have a workaround, I will remove blocker.

Comment 6 Dominic Cleal 2013-10-25 13:41:15 UTC
A basic "a/b" causes it to fail too, much the same reason behind bug #1023062 as we're not sanitising names sufficiently in URLs.

Comment 7 Dominic Cleal 2013-11-13 12:02:13 UTC
Merged as 39558b7200a7e1d4d5976ee62e25491d9016e56f in develop.

Comment 11 Corey Welton 2014-05-05 19:07:44 UTC
Verified in Satellite/Satellite-6.0.3-RHEL-6-20140430.4

Comment 12 Bryan Kearney 2014-07-02 14:04:47 UTC
This was delivered with 6.0.3, which is the Satellite 6 Beta.


Note You need to log in before you can comment on or make changes to this bug.