Filter custom CSS library setting using HTML::Defang
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Fix Released
|
Medium
|
Unassigned | ||
3.11 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
master / 3.5 beta
Bug 1849152 added a new "opac.patron.
"</style>
Bug 1849683 mitigated the issue by adding an update permission to the setting (this fix is in master already). But if we don't restrict allowable values or at least filter the value somehow before using it, we are asking for trouble.
I propose that we revert the new feature in 3.5/master until we have a more secure implementation.
Marking as Private Security -- the 3.5 beta release is affected and doesn't have the perm mitigation from bug 1849683, so some test environments are surely vulnerable.
information type: | Private Security → Public Security |
Changed in evergreen: | |
milestone: | none → 3.5.0 |
tags: | added: pullrequest |
Changed in evergreen: | |
milestone: | 3.5.0 → 3.5.1 |
Changed in evergreen: | |
milestone: | 3.5.1 → 3.5.2 |
Changed in evergreen: | |
milestone: | 3.5.2 → 3.6.1 |
Changed in evergreen: | |
milestone: | 3.6.1 → 3.6.2 |
Changed in evergreen: | |
milestone: | 3.6.2 → 3.6.3 |
tags: | added: opac |
Changed in evergreen: | |
milestone: | 3.6.3 → 3.6.4 |
Changed in evergreen: | |
milestone: | 3.6.4 → 3.7.2 |
Changed in evergreen: | |
milestone: | 3.7.2 → 3.7.3 |
Changed in evergreen: | |
milestone: | 3.7.3 → none |
no longer affects: | evergreen/3.6 |
summary: |
- Custom CSS considered harmful + Filtering custom CSS library setting using HTML::Defang |
summary: |
- Filtering custom CSS library setting using HTML::Defang + Filter custom CSS library setting using HTML::Defang |
tags: | added: signedoff |
Changed in evergreen: | |
status: | Fix Committed → Fix Released |
One alternative would be to disable the feature by default via config.tt2. Admins who want the feature would have to turn it on in TT2 before staff can make use of it, while those of us who don't want it don't have to worry about someone getting the wrong permission.
Jeff Godin pointed out that bug 1849113 would allow staff to add custom jQuery to the OPAC in a very similar way, with the same drawbacks. That one hasn't been committed yet.