[Opsview-checkins] [opsview] [8207] Fixed possible script injections (thanks to J Oquendo@ e-fensive.net)

[Commit messages for Opsview's subversion repository]

Title: [opsview] [8207] Fixed possible script injections (thanks to J oque...@e-fensive.net)

Revision

8207

Author

tvoon

Date

2012-03-31 16:13:36 +0100 (Sat, 31 Mar 2012)

Log Message

Fixed possible script injections (thanks to J oque...@e-fensive.net)

Modified Paths

• trunk/CHANGES
• trunk/opsview-web/root/login
• trunk/opsview-web/t/888security.t

Modified: trunk/CHANGES
===================================================================
--- trunk/CHANGES	2012-03-31 13:58:00 UTC (rev 8206)
+++ trunk/CHANGES	2012-03-31 15:13:36 UTC (rev 8207)
@@ -18,6 +18,7 @@
     Removed unnecessary calls to /etc/rc.d/init.d/functions
     Fixed Nagvis error messages that may get displayed. Removed Nagvis favicon functionality
     Fixed import_slaveresultsd not starting up correctly on slaves
+    Fixed possible script injections (thanks to J oque...@e-fensive.net)
 
 3.20120308 8th March 2012
     NOTICES:

Modified: trunk/opsview-web/root/login
===================================================================
--- trunk/opsview-web/root/login	2012-03-31 13:58:00 UTC (rev 8206)
+++ trunk/opsview-web/root/login	2012-03-31 15:13:36 UTC (rev 8207)
@@ -40,7 +40,7 @@
 </div>
 
 <div id='login_form_div'>
-  [% IF login_error && ! do_not_show_login_error; '<h3>'; login_error; '</h3>'; END; %]
+  [% IF login_error && ! do_not_show_login_error; '<h3>'; login_error | html; '</h3>'; END; %]
   <noscript>
   <h3>[% c.loc("ui.message.requireJavascript") | html %]</h3>
   <span>[% c.loc("ui.message.pleaseEnableJavascript") | html %]</span>
@@ -52,19 +52,19 @@
     </noscript>
 
     <label for=''>
-      [% c.loc("ui.login.field.username") %]<br />
+      [% c.loc("ui.login.field.username") | html %]<br />
       <input style="width: 180px" size="25" id="login_username" name="login_username" value="[% 
-      c.req.params.login_username %]" />
+      c.req.params.login_username | html %]" />
     </label>
     <br />
     <label for=''>
-      [% c.loc("ui.login.field.password") %]<br />
+      [% c.loc("ui.login.field.password") | html %]<br />
       <input style="width: 180px" size="25" id="login_password" type="password" name="login_password" />
     </label>
     <br />
   <input type="hidden" name="back" value="[% back | html %]" /> 
   <input type="hidden" name="app" value="[% app_name | html %]" />
-  <input name='login' id='login' type="submit" value="[% c.loc("ui.login.submit") %]" />
+  <input name='login' id='login' type="submit" value="[% c.loc("ui.login.submit") | html %]" />
   </form>
 <script type="text/_javascript_">
 document.login_form.login_username.focus();

Modified: trunk/opsview-web/t/888security.t
===================================================================
--- trunk/opsview-web/t/888security.t	2012-03-31 13:58:00 UTC (rev 8206)
+++ trunk/opsview-web/t/888security.t	2012-03-31 15:13:36 UTC (rev 8207)
@@ -26,6 +26,12 @@
 my $cj    = HTTP::Cookies->new();
 $ua->cookie_jar($cj);
 
+$ua->get_ok(qq{/login?login_username=" _onclick_="alert('bad')});
+$ua->content_lacks( '_onclick_="alert(', "Value is escaped" );
+
+$ua->get_ok(qq{/login?login_error=<script>alert("bad")</script>});
+$ua->content_lacks( '<script>alert("bad")', "Script tags not found" );
+
 # No cookies here - should get login page
 log_in( $ua, "somehosts", "somehosts" );
 

_______________________________________________
Opsview-checkins mailing list
Opsview-checkins@lists.opsview.org
http://lists.opsview.org/lists/listinfo/opsview-checkins