Bug 1215030 (CVE-2015-3162) - HTML tags in recipe set comments are not escaped in the "edit comment" dialog
Summary: HTML tags in recipe set comments are not escaped in the "edit comment" dialog
Status: CLOSED CURRENTRELEASE
Alias: CVE-2015-3162
Product: Beaker
Classification: Community
Component: general
Version: 19
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: 20.1
Assignee: Dan Callaghan
QA Contact: tools-bugs
URL:
Whiteboard:
Keywords: Patch, Security
Depends On:
Blocks: 1215894
TreeView+ depends on / blocked
 
Reported: 2015-04-24 07:23 UTC by Dan Callaghan
Modified: 2018-02-06 00:41 UTC (History)
18 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-05-08 04:06:03 UTC


Attachments (Terms of Use)
proposed patch (3.90 KB, patch)
2015-04-29 07:22 UTC, Dan Callaghan
no flags Details | Diff
proposed patch v2 (5.24 KB, patch)
2015-05-04 07:51 UTC, Dan Callaghan
no flags Details | Diff

Description Dan Callaghan 2015-04-24 07:23:48 UTC
Description of problem:
The "edit comment" dialog on the job page does not escape HTML characters in the comment correctly after fetching it.

Version-Release number of selected component (if applicable):
probably all Beaker versions

How reproducible:
easily

Steps to Reproduce:
1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment" and edit the comment to be: <script>alert('xss')</script>
4. Refresh the job page, and click "comment" again

Actual results:
<script> is executed

Expected results:
HTML characters should be escaped in the comment value

Comment 1 Dan Callaghan 2015-04-29 07:22:36 UTC
Created attachment 1020005 [details]
proposed patch

Comment 4 Hui Wang 2015-05-04 07:16:40 UTC
Verified this issue.
The result is FAILED.
Version: Beaker 20.1.git.5.24dc482

Steps to Reproduce:
1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment" and edit the comment to be: <script>alert('xss')</script>

Result:
The script still be executed.

Comment 5 Dan Callaghan 2015-05-04 07:21:37 UTC
Ah yes, there is another one I missed... full steps to reproduce are:

1. Submit a job, then cancel it
2. On the job page, ack or nack your job
3. Click "comment"
4. Click "edit" and change the comment to: <script>alert('xss')</script>, then click "save"
5. Refresh the job page
6. Click "comment"
7. Click "edit"

Script is executed.

Comment 6 Dan Callaghan 2015-05-04 07:51:17 UTC
Created attachment 1021565 [details]
proposed patch v2

This patch addresses the other missed escaping, in the edit comment dialog. (Sigh, that code makes me very sad.)

Comment 10 Hui Wang 2015-05-05 02:31:47 UTC
Verified this issue.
The result is PASS.
Version: Beaker 20.1.git.5.fd65027

Comment 11 Dan Callaghan 2015-05-08 04:06:03 UTC
Beaker 20.1 has been released.


Note You need to log in before you can comment on or make changes to this bug.