Bug 855112 – Encode XML-unsafe characters from user input as XML entities

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 855112 - Encode XML-unsafe characters from user input as XML entities [NEEDINFO]

Summary:	Encode XML-unsafe characters from user input as XML entities

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	luci (Show other bugs)
Sub Component:
Version:	6.3
Hardware:	Unspecified Unspecified

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Ryan McCabe
QA Contact:	Cluster QE
Docs Contact:

URL:
Whiteboard:
Keywords:

Duplicates:	855117 855120 855121 858386 (view as bug list)
Depends On:	855121
Blocks:	855117 855120
	Show dependency tree / graph

Reported:	2012-09-06 14:03 EDT by Jan Pokorný
Modified:	2014-10-14 00:12 EDT (History)
CC List:	6 users (show)

See Also:	739600
Fixed In Version:	luci-0.26.0-59.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Clones:	855117 855120 855121 858386 1138585 (view as bug list)
Environment:
Last Closed:	2014-10-14 00:12:06 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Flags:	rsteiger: needinfo? (jpokorny)

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1390	normal	SHIPPED_LIVE	Moderate: luci security, bug fix, and enhancement update	2014-10-14 04:11:39 EDT

Groups: None (edit)

Description Jan Pokorný 2012-09-06 14:03:39 EDT

In connection to case discussed in the public cluster ML [1], we need
to make sure the user input that makes its way into XML (either as
cluster.conf or XML-formatted requests towards ricci) is XML-ready.
That is, the "unsafe" characters are encoded as XML entities.

Otherwise, such requests have no effect and unfortunately, neither
ricci provides a sensible diagnostics about this.  Example of such
input is the password for the initial authentization against ricci.

[1] https://www.redhat.com/archives/linux-cluster/2012-August/msg00135.html

Comment 7 Fabio Massimo Di Nitto 2014-03-27 12:43:21 EDT

*** Bug 855121 has been marked as a duplicate of this bug. ***

Comment 8 Fabio Massimo Di Nitto 2014-03-27 12:43:37 EDT

*** Bug 858386 has been marked as a duplicate of this bug. ***

Comment 9 Fabio Massimo Di Nitto 2014-03-27 12:44:42 EDT

*** Bug 855117 has been marked as a duplicate of this bug. ***

Comment 10 Fabio Massimo Di Nitto 2014-03-27 12:45:33 EDT

*** Bug 855120 has been marked as a duplicate of this bug. ***

Comment 19 errata-xmlrpc 2014-10-14 00:12:06 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2014-1390.html

Note You need to log in before you can comment on or make changes to this bug.