Webservice test client / elasticsearch not escaping returned dumped values to screen

Bug #1719480 reported by Robert Lyon on 2017-09-25
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Robert Lyon
15.04
High
Unassigned
16.04
High
Unassigned
16.10
High
Unassigned
17.04
High
Unassigned
17.10
High
Robert Lyon

Bug Description

Similar problem to Bug 1719472
where we have a user with display name set to '<script>alert(1)</script>'

When fetching this user via webservices the test client displays the output to screen without escaping it

Revision history for this message
Robert Lyon (robertl-9) wrote :
Robert Lyon (robertl-9) on 2017-09-27
summary: - Webservice test client not escaping returned dumped values to screen
+ Webservice test client / elasticsearch not escaping returned dumped
+ values to screen
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8219
Committed: https://git.mahara.org/mahara/mahara/commit/63c9b7c7fabd591012dc125ded8d0b012fec064c
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 63c9b7c7fabd591012dc125ded8d0b012fec064c
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 12:08:05 2017 +1300

Bug 1719480: Escaping the output of the webservice testclient

Before displaying it to screen

Change-Id: I0bfc727ca6e0feee649392fcd85a89b16f55201f
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 648b191ed8f93c5b4171837018eebc3db19974ad)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8218
Committed: https://git.mahara.org/mahara/mahara/commit/1042bf4ee27c65dc56459776aa2a91a3fa373c44
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 1042bf4ee27c65dc56459776aa2a91a3fa373c44
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 12:08:05 2017 +1300

Bug 1719480: Escaping the output of the webservice testclient

Before displaying it to screen

Change-Id: I0bfc727ca6e0feee649392fcd85a89b16f55201f
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 648b191ed8f93c5b4171837018eebc3db19974ad)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8217
Committed: https://git.mahara.org/mahara/mahara/commit/cde1a4d35b5c5a1fa721ff1311e9a2402a45b6ee
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit cde1a4d35b5c5a1fa721ff1311e9a2402a45b6ee
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 12:08:05 2017 +1300

Bug 1719480: Escaping the output of the webservice testclient

Before displaying it to screen

Change-Id: I0bfc727ca6e0feee649392fcd85a89b16f55201f
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 648b191ed8f93c5b4171837018eebc3db19974ad)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "17.04_STABLE" branch: https://reviews.mahara.org/8243

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8243
Committed: https://git.mahara.org/mahara/mahara/commit/d360f4f2a06e8b6364e14a196b01f0e182dfc0d5
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit d360f4f2a06e8b6364e14a196b01f0e182dfc0d5
Author: Robert Lyon <email address hidden>
Date: Wed Sep 27 16:33:03 2017 +1300

Bug 1719480: Need to escape displayname in elasticsearch templates

Change-Id: I663f6ffde03b6b3504d49a767ac0ff55d0ab8437
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 056d42fc014a846399af42be84f243b0f419c939)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "16.10_STABLE" branch: https://reviews.mahara.org/8244

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8244
Committed: https://git.mahara.org/mahara/mahara/commit/5b0b1f07ac798b01a6da204523ac7fa73ebd9130
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit 5b0b1f07ac798b01a6da204523ac7fa73ebd9130
Author: Robert Lyon <email address hidden>
Date: Wed Sep 27 16:33:03 2017 +1300

Bug 1719480: Need to escape displayname in elasticsearch templates

Change-Id: I663f6ffde03b6b3504d49a767ac0ff55d0ab8437
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 056d42fc014a846399af42be84f243b0f419c939)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "16.04_STABLE" branch: https://reviews.mahara.org/8245

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8245
Committed: https://git.mahara.org/mahara/mahara/commit/3a1166a789e7eae75923dad5fd12f35230f0196c
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 3a1166a789e7eae75923dad5fd12f35230f0196c
Author: Robert Lyon <email address hidden>
Date: Wed Sep 27 16:33:03 2017 +1300

Bug 1719480: Need to escape displayname in elasticsearch templates

Change-Id: I663f6ffde03b6b3504d49a767ac0ff55d0ab8437
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 056d42fc014a846399af42be84f243b0f419c939)
(cherry picked from commit 5b0b1f07ac798b01a6da204523ac7fa73ebd9130)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "15.04_STABLE" branch: https://reviews.mahara.org/8246

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8246
Committed: https://git.mahara.org/mahara/mahara/commit/7a55082017280b59c6fc5316ff188d699a42005d
Submitter: Robert Lyon (<email address hidden>)
Branch: 15.04_STABLE

commit 7a55082017280b59c6fc5316ff188d699a42005d
Author: Robert Lyon <email address hidden>
Date: Wed Sep 27 16:33:03 2017 +1300

Bug 1719480: Need to escape displayname in elasticsearch templates

Change-Id: I663f6ffde03b6b3504d49a767ac0ff55d0ab8437
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 056d42fc014a846399af42be84f243b0f419c939)
(cherry picked from commit 5b0b1f07ac798b01a6da204523ac7fa73ebd9130)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8216
Committed: https://git.mahara.org/mahara/mahara/commit/aeeae1931d2108f9927c6b9e6e891a397dee14cf
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit aeeae1931d2108f9927c6b9e6e891a397dee14cf
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 12:08:05 2017 +1300

Bug 1719480: Escaping the output of the webservice testclient

Before displaying it to screen

Change-Id: I0bfc727ca6e0feee649392fcd85a89b16f55201f
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 648b191ed8f93c5b4171837018eebc3db19974ad)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers