Roundup Tracker - Issues

Issue 2550817

Title: XSS issue in user page with sort parameter.
Type: security Severity: critical
Components: User Interface Versions:
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: schlatterbeck Nosy List: ber, iwontbecreative, schlatterbeck
Priority: high Keywords:

Created on 2013-07-16 16:28 by iwontbecreative, last changed 2013-12-20 17:31 by schlatterbeck.

msg4915 Author: [hidden] (iwontbecreative) Date: 2013-07-16 16:28
Original report at : about the python 
modifier roundup bugtracker.

This post :
July/002606.html seems to highlight that this is a roundup security 
issue while this confirms it :

XSS issues allow for many things including stealing session cookies. It 
might be worth to read the entire report on the python meta-tracker 
since it shows another issue closely related (also with the sort 

Thibault FĂ©vry
msg4916 Author: [hidden] (ber) Date: 2013-07-17 09:55
Thanks for the note. I guess we need to take a look.
msg4975 Author: [hidden] (schlatterbeck) Date: 2013-12-20 17:31
Fixed in commit 24b8011cd2dc.

Note that the bug with sort/group parameters is not in roundup core
currently, that took me a while to find what you mean (roundup currently
doesn't issue an error message when you specify non-existing properties
in sort/group).
But having a 'structure' tag -- which indicates that the template will
not escape the text -- is asking for trouble. So I've reworked that part
and *all* messages (error and ok) are now escaped.

This *needs* a change to the template. So if you apply only the patch to
roundup core you're *more vulnerable than before*. Be sure to apply the
patch to the template, see doc/upgrading.txt.

I've already committed the necessary changes to roundups roundup tracker.
Date User Action Args
2013-12-20 17:31:27schlatterbecksetstatus: new -> closed
assignee: schlatterbeck
resolution: fixed
messages: + msg4975
2013-07-17 09:55:05bersetpriority: high
nosy: + schlatterbeck, ber
messages: + msg4916
2013-07-16 16:28:53iwontbecreativecreate