Package: graphite-web Version: 1.1.4-3+deb10u1.1 Severity: important Tags: patch
Dear Maintainer, Saving and recalling user graphs doesn't work. This has been fixed upstream: https://github.com/graphite-project/graphite-web/pull/2587 I was able to rebuild the package with the two patches in above PR to fix locally. -- System Information: Distributor ID: Raspbian Description: Raspbian GNU/Linux 10 (buster) Release: 10 Codename: buster Architecture: armv7l Kernel: Linux 5.4.51-v7+ (SMP w/4 CPU cores) Kernel taint flags: TAINT_CRAP Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages graphite-web depends on: ii adduser 3.118 ii python 2.7.16-1 ii python3 3.7.3-1 ii python3-cairo 1.16.2-1+b1 ii python3-cairocffi 0.7.2-2.2 ii python3-django 1:1.11.29-1~deb10u1 ii python3-django-tagging 1:0.4.5-1 ii python3-pyparsing 2.2.0+dfsg1-2 ii python3-simplejson 3.16.0-1 ii python3-six 1.12.0-1 ii python3-tz 2019.1-1 ii python3-urllib3 1.24.1-1 ii python3-whisper 1.1.4-2 graphite-web recommends no packages. Versions of packages graphite-web suggests: ii graphite-carbon 1.1.4-2 ii libapache2-mod-wsgi-py3 4.6.5-1 pn python3-ldap <none> pn python3-memcache <none> pn python3-mysqldb <none> -- Configuration Files: /etc/graphite/local_settings.py changed [not included] -- no debconf information
>From 0a3e6348d25f289982ae30958375b85cdf219be3 Mon Sep 17 00:00:00 2001 From: Pierce Lopez <pierce.lo...@gmail.com> Date: Tue, 14 Apr 2020 02:45:03 -0400 Subject: [PATCH] composer: fix user saved graphs target escaping saved graphs targets were html-escaped in the json response to fix an XSS vulnerability in graphite-project/graphite-web#1662 ... but that was not really the right place to escape the graph targets, it broke targets using quotes: #1801 #2334 so effectively revert the original fix, and instead html-escape the targets just before rendering them in the GraphDataWindow Ext.ListView also skip the `str()` around `graph.url`, it's already a string, in both python2 and python3 --- webapp/content/js/composer_widgets.js | 9 ++++++++- webapp/graphite/browser/views.py | 29 ++------------------------- 2 files changed, 10 insertions(+), 28 deletions(-) diff --git a/webapp/content/js/composer_widgets.js b/webapp/content/js/composer_widgets.js index e1ce36c7..ac7cc3b8 100644 --- a/webapp/content/js/composer_widgets.js +++ b/webapp/content/js/composer_widgets.js @@ -515,7 +515,14 @@ var GraphDataWindow = { hideHeaders: true, width: 385, height: 140, - columns: [ {header: 'Graph Targets', width: 1.0, dataIndex: 'value'} ], + columns: [ + { + header: 'Graph Targets', + width: 1.0, + dataIndex: 'value', + tpl: '{value:htmlEncode}' + } + ], listeners: { contextmenu: this.targetContextMenu, afterrender: this.targetChanged, diff --git a/webapp/graphite/browser/views.py b/webapp/graphite/browser/views.py index 3bc9dc9c..223a76af 100644 --- a/webapp/graphite/browser/views.py +++ b/webapp/graphite/browser/views.py @@ -24,7 +24,6 @@ from graphite.user_util import getProfile, getProfileByUsername from graphite.util import json from graphite.logger import log from hashlib import md5 -from six.moves.urllib.parse import urlencode, urlparse, parse_qsl def header(request): @@ -138,19 +137,7 @@ def myGraphLookup(request): else: m = md5() m.update(name.encode('utf-8')) - - # Sanitize target - urlEscaped = str(graph.url) - graphUrl = urlparse(urlEscaped) - graphUrlParams = {} - graphUrlParams['target'] = [] - for param in parse_qsl(graphUrl.query): - if param[0] != 'target': - graphUrlParams[param[0]] = param[1] - else: - graphUrlParams[param[0]].append(escape(param[1])) - urlEscaped = graphUrl._replace(query=urlencode(graphUrlParams, True)).geturl() - node.update( { 'id' : str(userpath_prefix + m.hexdigest()), 'graphUrl' : urlEscaped } ) + node.update( { 'id' : str(userpath_prefix + m.hexdigest()), 'graphUrl' : graph.url } ) node.update(leafNode) nodes.append(node) @@ -237,22 +224,10 @@ def userGraphLookup(request): m = md5() m.update(nodeName.encode('utf-8')) - # Sanitize target - urlEscaped = str(graph.url) - graphUrl = urlparse(urlEscaped) - graphUrlParams = {} - graphUrlParams['target'] = [] - for param in parse_qsl(graphUrl.query): - if param[0] != 'target': - graphUrlParams[param[0]] = param[1] - else: - graphUrlParams[param[0]].append(escape(param[1])) - urlEscaped = graphUrl._replace(query=urlencode(graphUrlParams, True)).geturl() - node = { 'text' : escape(nodeName), 'id' : username + '.' + prefix + m.hexdigest(), - 'graphUrl' : urlEscaped, + 'graphUrl' : graph.url, } node.update(leafNode) -- 2.20.1
>From e2433a314ab8718c7d16bcab7b7944c9e5ef105d Mon Sep 17 00:00:00 2001 From: Pierce Lopez <pierce.lo...@gmail.com> Date: Mon, 20 Apr 2020 15:48:14 -0400 Subject: [PATCH] dashboard: htmlEncode graph target list content same XSS vulnerability as the composer saved user graphs data view had --- webapp/content/js/dashboard.js | 1 + 1 file changed, 1 insertion(+) diff --git a/webapp/content/js/dashboard.js b/webapp/content/js/dashboard.js index b85170bb..0b880f43 100644 --- a/webapp/content/js/dashboard.js +++ b/webapp/content/js/dashboard.js @@ -1915,6 +1915,7 @@ function graphClicked(graphView, graphIndex, element, evt) { header: 'Target', dataIndex: 'target', width: gridWidth - 90, + renderer: 'htmlEncode', editor: {xtype: 'textfield'} }, { -- 2.20.1