*** Bug 1486665 has been marked as a duplicate of this bug. ***
> Perform some action and flash message is shown
Sorry, but my crystal ball is broken this week
I did perform some action but saw no flash msg.
I believe there's an issue as you describe it SOMEWHERE but...
Actually I did find an example in the DUP of this issue:
> Description of problem:
> After creating a VM creation request, the flash message shown is sent as a URL
> parameter, and can be easily edited, and be misused
> Version-Release number of selected component (if applicable):
> Version master.20170830023715_aa4dab9
> How reproducible:
> Steps to Reproduce:
> 1.Submit a request for VM creation
> 2.See the flash message
> Actual results:
> Flash message in the URL url parameter
If would be helpful if you could help me get all the places that you have found into one BZ but with a description that I would be able to reproduce (as the one above).
fixing one such place:
One more such place:
We can fix all the places as a "hardening" task but afaik this should not be a priority.
The two fixes in this PR can be considered a pattern to fix all the other places.
(In reply to Martin Povolny from comment #4)
> Actually I did find an example in the DUP of this issue:
> > Description of problem:
> > After creating a VM creation request, the flash message shown is sent as a URL
> > parameter, and can be easily edited, and be misused
> > Version-Release number of selected component (if applicable):
> > Version master.20170830023715_aa4dab9
> > How reproducible:
> > 100%
> > Steps to Reproduce:
> > 1.Submit a request for VM creation
> > 2.See the flash message
> > Actual results:
> > Flash message in the URL url parameter
> If would be helpful if you could help me get all the places that you have
> found into one BZ but with a description that I would be able to reproduce
> (as the one above).
To list such places,
Places where we provision/order VMs, delete/modify them, in general I see almost all the flash messages passed in as a url parameter.
> In general I see almost all the flash messages passed in as a url parameter.
I'm also not seeing them now, used to see them in previous builds.
Ok, moving this to POST. Some places where fixed.
Once we have more places found we can create new BZs.
The pattern for the fix is pretty straightforward once you see the place.
As I previously declared: If you show me such places, I can get it fixed.
Fixed! Flash messages are now gone from several main feature pages (tested for GET URL parameters). I do understand this is something we can not fully mitigate and there are several internal parts of CFME which are still uses flash via GET.
As of now it is fixed in 22.214.171.124.20180927011235_1b5cf54.
Well done! Thank you!
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.