Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Quick access error when having a wrong url #17050

Merged
merged 5 commits into from Jan 10, 2020

Conversation

@PierreRambaud
Copy link
Contributor

PierreRambaud commented Jan 7, 2020

Questions Answers
Branch? 1.7.6.x
Description? Thanks to Charlie Hosier for the report. Url are not escaped when using the quick add button. CVE-2020-6632
Type? bug fix
Category? CO
BC breaks? no
Deprecations? no
How to test? Quick access must have urls escaped with token even after an add
image
.

This change is Reviewable

@PierreRambaud PierreRambaud requested a review from PrestaShop/prestashop-core-developers as a code owner Jan 7, 2020
Copy link
Contributor

jolelievre left a comment

I don't understand everything but I trust you ^^
I guess the main difference is that getQuickAccessesWithToken rebuilds the link using context->link

@jolelievre jolelievre added this to the 1.7.6.3 milestone Jan 7, 2020
@jolelievre jolelievre added this to In progress in PrestaShop 1.7.6 via automation Jan 7, 2020
@jolelievre jolelievre moved this from In progress to To be tested in PrestaShop 1.7.6 Jan 7, 2020
@PierreRambaud PierreRambaud added WIP and removed waiting for QA labels Jan 8, 2020
Copy link
Contributor

jolelievre left a comment

Ok for me, but you don't need to publish all the built assets
I think main.bundle.js is enough

@PierreRambaud

This comment has been minimized.

Copy link
Contributor Author

PierreRambaud commented Jan 8, 2020

@jolelievre Not my fault if all assets changed when I built them 😅

@jolelievre

This comment has been minimized.

Copy link
Contributor

jolelievre commented Jan 8, 2020

@PierreRambaud true! but you can choose to commit only some of them ^^ The one related to what you changed

Copy link
Contributor

jolelievre left a comment

Ok, since we are preparing a fix version let's publish all assets just in case 😉

@PierreRambaud PierreRambaud force-pushed the PierreRambaud:fix/xss-quick-access branch from 5dbca64 to 011d883 Jan 10, 2020
@matks
matks approved these changes Jan 10, 2020
@Robin-Fischer-PS Robin-Fischer-PS moved this from To be tested to To be merged in PrestaShop 1.7.6 Jan 10, 2020
@NeOMakinG NeOMakinG merged commit 0e8c609 into PrestaShop:1.7.6.x Jan 10, 2020
2 checks passed
2 checks passed
PrettyCI Code formatting
Details
Travis CI - Pull Request Build Passed
Details
PrestaShop 1.7.6 automation moved this from To be merged to Done Jan 10, 2020
@NeOMakinG

This comment has been minimized.

Copy link
Contributor

NeOMakinG commented Jan 10, 2020

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.