You are here: Foswiki>Tasks Web>Item14287 (18 Feb 2017, GeorgeClark)Edit Attach

Item14287: Configure needs to encode reported configuration values.

pencil
Priority: Security
Current State: Closed
Released In: 2.1.3
Target Release: patch
Applies To: Engine
Component: Configure
Branches: Release02x01 master Item14288
Reported By: GeorgeClark
Waiting For:
Last Change By: GeorgeClark
If a configure item contains things like image or other HTML tags, they get rendered in the changed Items report from the extensions installer, and in the before/after report from configure Save wizard.

Reporting this as a security issue as it was reported by "somedude" as such in IRC and with a private message. An extension could inject javascript into the configure interface. -- GeorgeClark - 22 Jan 2017

I really don't think this is necessary. If a hacker is able to munge a .spec file and add HTML, then they are able to hack the content of the package and install much evil.

The patch doesn't hurt much, I just don't think there's much point to it.

-- Main.CrawfordCurrie - 23 Jan 2017 - 15:19

True. I pointed that out. His response was
"other things are risky too" is a really bad counter-argument to a "this thing is generating bogus html"

I do recall ages ago that I was confused by the broken images in the report when I installed the ImagePlugin, so it is a bit cleaner even if not all that significant.

-- GeorgeClark - 23 Jan 2017
 
Topic revision: r7 - 18 Feb 2017, GeorgeClark - This page was cached on 03 Mar 2017 - 05:00.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License