Bug #5459
closed
system_advanced_sysctl.php lacking input validation, output sanitation
0%
Description
system_advanced_sysctl.php has no input validation (in 2.2.x either). We should be safe to limit Tunable and Value fields to alphanumeric plus - . and _
Tunable and Value should both be required fields. No restrictions on description necessary.
It's also XSS-able, where 2.2.x isn't. For instance, throw
'><script>alert("hi");</script>
into any of the fields.
Updated by Anonymous about 9 years ago
- Status changed from Assigned to Feedback
- Assignee changed from Anonymous to Chris Buechler
Inputs validated
Error messages provided
htmlspecialchars() protection added where required
Updated by Chris Buechler about 9 years ago
- Status changed from Feedback to Confirmed
- Assignee changed from Chris Buechler to Anonymous
- Priority changed from High to Normal
The XSS is fixed, thanks! It's a bit overzealous on the htmlentities somewhere it appears. For instance, save the
'><script>alert("hi");</script>
as your description, and your config ends up with:
<descr><![CDATA['&gt;&lt;script&gt;alert(&am p;quot;hi&quot;);&lt;/script&gt;]]></descr>
Then you get exactly that upon editing the entry. That'll mess up a variety of usable descriptions.
Updated by Anonymous about 9 years ago
- Status changed from Confirmed to Feedback
- Assignee changed from Anonymous to Chris Buechler
Kinder, gentler version now saves: "'>alert("hi");" by using strip_tags rather than htmlspecialchars
Updated by Chris Buechler about 9 years ago
- Status changed from Feedback to Resolved
looks good, thanks!