The content of log files is not escaped before being rendered via log viewer
----------------------------------------------------------------------------
Key: MAGNOLIA-3191
URL: http://jira.magnolia-cms.com/browse/MAGNOLIA-3191
Project: Magnolia
Issue Type: Bug
Components: admininterface
Affects Versions: 4.3.1, 4.2.3, 4.1.4
Reporter: Jan Haderka
Assignee: Jan Haderka
Priority: Critical
Fix For: 4.2.x, 4.3.x, 4.1.x
Currently content of the log files is assumed to be safe. This assumption is
incorrect as the log file might include messages from content entered by users
in search form or other input fields on the site and therefore must be escaped.
While the issue impact with properly secured access to AdminCentral (protect
access to {{.magnolia}} URI from public net) is minimal, I'm setting priority
to critical and will push the fix into next maintenance release.
Workaround:
- do not use log viewer in the AdminCentral, but view the log files directly in
the file system.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.magnolia-cms.com/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
----------------------------------------------------------------
For list details see
http://www.magnolia-cms.com/home/community/mailing-lists.html
To unsubscribe, E-mail to: <[email protected]>
----------------------------------------------------------------
