New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2017-1002152: JavaScript injection via Bugzilla ticket subjects #1740

Closed
bowlofeggs opened this Issue Aug 10, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@bowlofeggs
Copy link
Member

bowlofeggs commented Aug 10, 2017

Marcel reported that it is possible to inject JavaScript into Bodhi's web interface through Bugzilla ticket subjects. The reporter cited an update that did not properly escape tags from the bug it was associated with.

We should run the bugzilla text through bleach, similar to what we do for comments from our users.

@bowlofeggs bowlofeggs self-assigned this Aug 15, 2017

bowlofeggs added a commit to bowlofeggs/bodhi that referenced this issue Aug 15, 2017

CVE-2017-1002152: Sanitize Bugzilla titles in rendered HTML.
fixes fedora-infra#1740

Signed-off-by: Randy Barlow <randy@electronsweatshop.com>

bowlofeggs added a commit to bowlofeggs/bodhi that referenced this issue Aug 15, 2017

CVE-2017-1002152: Sanitize Bugzilla titles in rendered HTML.
fixes fedora-infra#1740

Signed-off-by: Randy Barlow <randy@electronsweatshop.com>

bowlofeggs added a commit that referenced this issue Aug 15, 2017

CVE-2017-1002152: Sanitize Bugzilla titles in rendered HTML.
fixes #1740

Signed-off-by: Randy Barlow <randy@electronsweatshop.com>

bowlofeggs added a commit that referenced this issue Aug 15, 2017

CVE-2017-1002152: Sanitize Bugzilla titles in rendered HTML.
fixes #1740

Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
@bowlofeggs

This comment has been minimized.

Copy link
Member

bowlofeggs commented Aug 15, 2017

The fix for this has been cherry picked to the 2.9 branch as 2a3b06b and will be released in 2.9.1.

jeremycline added a commit that referenced this issue Aug 16, 2017

CVE-2017-1002152: Sanitize Bugzilla titles in rendered HTML.
fixes #1740

Signed-off-by: Randy Barlow <randy@electronsweatshop.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment