Issue 2550817
Created on 2013-07-16 16:28 by iwontbecreative, last changed 2013-12-20 17:31 by schlatterbeck.
|
| msg4915 |
Author: [hidden] (iwontbecreative) |
Date: 2013-07-16 16:28 |
|
Original report at :
http://psf.upfronthosting.co.za/roundup/meta/issue519 about the python
modifier roundup bugtracker.
This post : http://mail.python.org/pipermail/python-committers/2013-
July/002606.html seems to highlight that this is a roundup security
issue while this confirms it : http://issues.roundup-tracker.org/user?
@sort=%3Cscript%3Ealert('XSS')%3C/script%3E%3Ch1%3E
XSS issues allow for many things including stealing session cookies. It
might be worth to read the entire report on the python meta-tracker
since it shows another issue closely related (also with the sort
parameter).
Thibault FĂ©vry
|
| msg4916 |
Author: [hidden] (ber) |
Date: 2013-07-17 09:55 |
|
Thanks for the note. I guess we need to take a look.
|
| msg4975 |
Author: [hidden] (schlatterbeck) |
Date: 2013-12-20 17:31 |
|
Fixed in commit 24b8011cd2dc.
Note that the bug with sort/group parameters is not in roundup core
currently, that took me a while to find what you mean (roundup currently
doesn't issue an error message when you specify non-existing properties
in sort/group).
But having a 'structure' tag -- which indicates that the template will
not escape the text -- is asking for trouble. So I've reworked that part
and *all* messages (error and ok) are now escaped.
This *needs* a change to the template. So if you apply only the patch to
roundup core you're *more vulnerable than before*. Be sure to apply the
patch to the template, see doc/upgrading.txt.
I've already committed the necessary changes to roundups roundup tracker.
|
|
| Date |
User |
Action |
Args |
| 2013-12-20 17:31:27 | schlatterbeck | set | status: new -> closed
assignee: schlatterbeck
resolution: fixed
messages:
+ msg4975 |
| 2013-07-17 09:55:05 | ber | set | priority: high
nosy:
+ schlatterbeck, ber
messages:
+ msg4916 |
| 2013-07-16 16:28:53 | iwontbecreative | create | |
|