Title: [opsview] [8207] Fixed possible script injections (thanks to J oque...@e-fensive.net)
- Revision
- 8207
- Author
- tvoon
- Date
- 2012-03-31 16:13:36 +0100 (Sat, 31 Mar 2012)
Log Message
Fixed possible script injections (thanks to J oque...@e-fensive.net)
Modified Paths
Modified: trunk/CHANGES
===================================================================
--- trunk/CHANGES 2012-03-31 13:58:00 UTC (rev 8206)
+++ trunk/CHANGES 2012-03-31 15:13:36 UTC (rev 8207)
@@ -18,6 +18,7 @@
Removed unnecessary calls to /etc/rc.d/init.d/functions
Fixed Nagvis error messages that may get displayed. Removed Nagvis favicon functionality
Fixed import_slaveresultsd not starting up correctly on slaves
+ Fixed possible script injections (thanks to J oque...@e-fensive.net)
3.20120308 8th March 2012
NOTICES:
Modified: trunk/opsview-web/root/login
===================================================================
--- trunk/opsview-web/root/login 2012-03-31 13:58:00 UTC (rev 8206)
+++ trunk/opsview-web/root/login 2012-03-31 15:13:36 UTC (rev 8207)
@@ -40,7 +40,7 @@
</div>
<div id='login_form_div'>
- [% IF login_error && ! do_not_show_login_error; '<h3>'; login_error; '</h3>'; END; %]
+ [% IF login_error && ! do_not_show_login_error; '<h3>'; login_error | html; '</h3>'; END; %]
<noscript>
<h3>[% c.loc("ui.message.requireJavascript") | html %]</h3>
<span>[% c.loc("ui.message.pleaseEnableJavascript") | html %]</span>
@@ -52,19 +52,19 @@
</noscript>
<label for=''>
- [% c.loc("ui.login.field.username") %]<br />
+ [% c.loc("ui.login.field.username") | html %]<br />
<input style="width: 180px" size="25" id="login_username" name="login_username" value="[%
- c.req.params.login_username %]" />
+ c.req.params.login_username | html %]" />
</label>
<br />
<label for=''>
- [% c.loc("ui.login.field.password") %]<br />
+ [% c.loc("ui.login.field.password") | html %]<br />
<input style="width: 180px" size="25" id="login_password" type="password" name="login_password" />
</label>
<br />
<input type="hidden" name="back" value="[% back | html %]" />
<input type="hidden" name="app" value="[% app_name | html %]" />
- <input name='login' id='login' type="submit" value="[% c.loc("ui.login.submit") %]" />
+ <input name='login' id='login' type="submit" value="[% c.loc("ui.login.submit") | html %]" />
</form>
<script type="text/_javascript_">
document.login_form.login_username.focus();
Modified: trunk/opsview-web/t/888security.t
===================================================================
--- trunk/opsview-web/t/888security.t 2012-03-31 13:58:00 UTC (rev 8206)
+++ trunk/opsview-web/t/888security.t 2012-03-31 15:13:36 UTC (rev 8207)
@@ -26,6 +26,12 @@
my $cj = HTTP::Cookies->new();
$ua->cookie_jar($cj);
+$ua->get_ok(qq{/login?login_username=" _onclick_="alert('bad')});
+$ua->content_lacks( '_onclick_="alert(', "Value is escaped" );
+
+$ua->get_ok(qq{/login?login_error=<script>alert("bad")</script>});
+$ua->content_lacks( '<script>alert("bad")', "Script tags not found" );
+
# No cookies here - should get login page
log_in( $ua, "somehosts", "somehosts" );
_______________________________________________
Opsview-checkins mailing list
Opsview-checkins@lists.opsview.org
http://lists.opsview.org/lists/listinfo/opsview-checkins