Skip to content

Commit

Permalink
Fix XSS in PathLength attribute in CA agent web page
Browse files Browse the repository at this point in the history
- The input type is set to number when "integer" is encountered
- The server error message is html escaped, before it gets displayed in client browser

Resolves: BZ#1710171

Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
  • Loading branch information
SilleBille committed Jun 18, 2020
1 parent 578f682 commit b235c0f
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 2 deletions.
2 changes: 1 addition & 1 deletion base/ca/shared/webapps/ca/agent/ca/ProfileReview.template
Original file line number Diff line number Diff line change
Expand Up @@ -345,7 +345,7 @@ document.writeln('</FONT>');
} else if (recordSet[i].defListSet[j].defSyntax == 'string_list') {
document.writeln('<textarea cols=40 rows=5 name="' + recordSet[i].defListSet[j].defId + '">' + recordSet[i].defListSet[j].defVal + '</textarea>');
} else if (recordSet[i].defListSet[j].defSyntax == 'integer') {
document.writeln('<input size=6 type=text name="' + recordSet[i].defListSet[j].defId + '" value="' + recordSet[i].defListSet[j].defVal + '">');
document.writeln('<input size=6 type=number name="' + recordSet[i].defListSet[j].defId + '" value="' + recordSet[i].defListSet[j].defVal + '">');
} else if (recordSet[i].defListSet[j].defSyntax == 'image_url') {
document.writeln('<img border=0 src="' + recordSet[i].defListSet[j].defVal + '">');
document.writeln('<input type=hidden name="' + recordSet[i].defListSet[j].defId + '" value="' + recordSet[i].defListSet[j].defVal + '">');
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringEscapeUtils;
import org.dogtagpki.server.authentication.IAuthManager;
import org.dogtagpki.server.authorization.AuthzToken;
import org.dogtagpki.server.authorization.IAuthzSubsystem;
Expand Down Expand Up @@ -757,7 +758,7 @@ public void renderFinalError(CMSRequest cmsReq, Exception ex)
if (tokenIdx != -1) {
finalErrMsg =
mFinalErrorMsg.substring(0, tokenIdx) +
ex.toString() +
StringEscapeUtils.escapeHtml(ex.toString()) +
mFinalErrorMsg.substring(
tokenIdx + ERROR_MSG_TOKEN.length());
}
Expand Down

0 comments on commit b235c0f

Please sign in to comment.