Project

General

Profile

Actions

Bug #13387

closed

Input validation is not rejecting invalid description characters when editing a CA or Certificate

Added by Jim Pingle over 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Certificates
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When editing an existing CA or Certificate, the description is not validated on save the way it is validated during other action (create, sign, etc).

There are some instances where the description is displayed without encoding as it's assumed to be validated, which means there is a potential for XSS there (e.g. save messages, Issuer column displaying the CA name, perhaps others), so we should encode those for good measure in addition to the validation.

Actions #1

Updated by Jim Pingle over 2 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Danilo Zrenjanin over 2 years ago

Tested the patch against:

2.7.0-DEVELOPMENT (amd64)
built on Fri Jul 29 06:15:24 UTC 2022
FreeBSD 12.3-STABLE

It works as expected. A help text with allowed or forbidden characters for that field would be helpful there.

Actions #4

Updated by Jim Pingle about 2 years ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #5

Updated by Jim Pingle about 2 years ago

  • Status changed from Feedback to In Progress

I'll add the list of invalid characters to the help text for those fields.

Actions #6

Updated by Jim Pingle about 2 years ago

  • Status changed from In Progress to Feedback
Actions #7

Updated by Danilo Zrenjanin about 2 years ago

  • Status changed from Feedback to Resolved

Tested against:

23.01-DEVELOPMENT (amd64)
built on Fri Dec 02 06:04:48 UTC 2022
FreeBSD 14.0-CURRENT

It does the input validation when editing the existing CA or Certificate. I am marking this ticket resolved.

Actions #8

Updated by Jim Pingle almost 2 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF