Bug 1059812
| Summary: | Manipulated URL effects header content. | ||
|---|---|---|---|
| Product: | Red Hat Satellite 5 | Reporter: | Dimitar Yordanov <dyordano> |
| Component: | WebUI | Assignee: | Grant Gainey <ggainey> |
| Status: | CLOSED WONTFIX | QA Contact: | Red Hat Satellite QA List <satqe-list> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 560 | CC: | dyordano, jhutar, tlestach |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-03-28 17:42:40 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1450940 | ||
|
Description
Dimitar Yordanov
2014-01-30 17:48:06 UTC
Hello Dimitar, it's not clear to me, what you mean with this BZ. Could you, please, elaborate it? When I access https://<satellite>/rhn/account/EditAddress.do?type=M83ab7<script>alert(1)</script>c47ea873a9d& I see in the catalina log: 2014-01-31 09:16:38,190 [TP-Processor18] ERROR com.redhat.rhn.common.errors.BadParameterExceptionHandler - Missing Parameter Error com.redhat.rhn.frontend.action.common.BadParameterException: The parameter uid is required, when accessing /rhn/account/EditAddress.do at com.redhat.rhn.frontend.struts.RequestContext.getRequiredParam(RequestContext.java:477) and Page Request Error on WebUI, what is expected behavior. What do you think is wrong? Hi Tomas, Please try with the spacewalk-java-2.0.2-57. I guess you are trying to reproduce the issue with older version of the spacewalk-java package. The version mentioned in the "Description" will officially released with errata: https://errata.devel.redhat.com/advisory/16791 Fixing some info: Version-Release number of selected component (if applicable): spacewalk-java-2.0.2-57 How reproducible: 100% Steps to Reproduce: 1. Login and go to https://<satellite>/rhn/account/EditAddress.do?type=M83ab7%3Cscript%3Ealert%281%29%3C/script%3Ec47ea873a9d&uid=1 Actual results: In webUI there is this string "**address type M83ab7<script>alert(1)</script>c47ea873a9d** Record:" Expected results: Header of that webUI form should be invariant as per options in address and should state "Mailing Address Record:" Spacewalk (and Sat5) still contains the web_user_site_type table, which has exactly 4 values: M, B, S, and R, with decriptions MARKET, BILL_TO, SHIP_TO, and SERVICE. This is a hold-over from Hosted, where those mattered. In SW/Sat5, the *only* type we use is 'M', and we *call* it the 'Mailing Address'. To address this, what we really should do is remove web_user_site_info.type, the web_user_site_type table, all the code (only in EditAddressSetup) that sets the type, the code (also in EditAddressSetup) that pretends that site-type might ever be anything other than 'M', the AddressTag that has a setType() function that throws an error is typeIn is in fact anything other than 'M', the Address interface that *knows* that the only useful type is 'M', and the set/getPrivType() methods from AddressImpl (which even come with the lovely comment "NOTE THIS IS LEGACY REMOVE LATER!!" I'm going to close this as WONTFIX. It would require some intrusive changes, we should only be addressing serious customer issues, and it only bites you if you're deliberately mucking about with the URL - to which my response is "don't do that" :) |