Red Hat Bugzilla – Bug 1366307
[pcsd] Badly designed usage of HTML ID attributes may cause unexpected behavior with certain resource names
Last modified: 2016-11-03 16:59:35 EDT
> Description of problem: ID attribute of HTML elements that represent each resource in the GUI resource list is generated dynamically according to the resource name, but instead of using a deterministic pre/post-fix or a completely random and therefore unique ID it only takes the corresponding resource's name and uses it as an ID. This enables the user to create such a resource which name used as an ID would collide with some other ID that already exists inside the GUI page, possibly causing an unexpected behavior. The most simple reproducer is to create a resource called 'test'. As the ID 'test' is already reserved by parts of the javascript framework the result of this particular case is making the resource non-highlightable within the resource list. Another one is to use browser's developer tools and xpath to search for particular ID, i.e. run $x("//*[@id='test']") in Chrome's console to verify that ID is present more than once. > Version-Release number of selected component (if applicable): pcs-0.9.152-6.el7.x86_64 > Steps to Reproduce: 1. Create a resource called 'test' 2. Try to highlight the resource inside resource list > Actual results: Item cannot be highlighted. Also, an xpath search would return more than one instance of the correspondent ID. > Expected results: Item can be highlighted. Also, an xpath search would return just one instance of the correspondent ID.
proposed fix: https://github.com/ClusterLabs/pcs/commit/f1e6da86be122fd2177f70422b3dcb8acd30 Test: Create resource called 'test'. In web UI select resource 'test'. It is highlighted.
Setup: Create resource called 'test'. Before Fix: [vm-rhel72-1 ~] $ rpm -q pcs pcs-0.9.152-6.el7.x86_64 In web UI select resource 'test'. It is not highlighted. After Fix: [vm-rhel72-1 ~] $ rpm -q pcs pcs-0.9.152-7.el7.x86_64 In web UI select resource 'test'. It is highlighted.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2016-2596.html