Tryton - Issues

 

Issue9351

Title Cross Site Scripting
Priority urgent Status resolved
Superseder Nosy List bch, ced, nicoe, pokoli, reviewbot, roundup-bot, sharkcz, yangoon
Type security Components sao
Assigned To ced Keywords review
Reviews 301651002
View: 301651002

Created on 2020-05-18.22:31:17 by ced, last changed by roundup-bot.

Messages
New changeset cbe3d73589e0 by C├ędric Krier in branch 'default':
Escape external strings
https://hg.tryton.org/tryton-env/rev/cbe3d73589e0
msg58278 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-05-25.19:27:55
I could not find time today to make the release. I will do it tomorrow 26/05/2020 at 10:00 am CEST.
msg58118 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-05-18.22:45:53
As this security issue has been disclosed without even contact us to prepare a fix. I think we should publish a security release for all branches very quickly. I propose 25/05/2020 at 10:00 am CEST.
msg58116 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-05-18.22:32:44
Here is review301651002 which makes the replacement.
Please test it extensively as it is quite big.
msg58115 (view) Author: [hidden] (ced) (Tryton committer) (Tryton translator) Date: 2020-05-18.22:31:17
I found by chance this publication: https://www.vulnerability-lab.com/get_content.php?id=2233
The problem is the usage of jQuery.append for input coming from use (jQuery does not escape text in this method).
The described PoC is not really bad because only the user can infect its own session. But I performed a review of all usages and I found more like the CSV export name (which can be shared between users).

As solution, I propose to replace all usage of jQuery.append for non-fixed text by jQuery.text (which escape the HTML). I also think we should do for translated fixed-text because the translation process is open and some malicious user may try to inject suspicious translations in the next released.
History
Date User Action Args
2020-05-26 10:24:53roundup-botsetmessages: + msg58288
2020-05-26 10:23:13cedsetstatus: testing -> resolved
2020-05-25 19:27:56cedsetmessages: + msg58278
2020-05-18 22:45:53cedsetmessages: + msg58118
2020-05-18 22:32:44cedsetstatus: in-progress -> testing
reviews: 301651002
messages: + msg58116
keyword: + review
2020-05-18 22:31:17cedcreate

Showing 10 items. Show all history (warning: this could be VERY long)