Project

General

Profile

Actions
Copy link

Bug #5877

closed

firewall_shaper_vinterface.php and firewall_shaper_layer7.php: Parameters are printed without escaping

Added by Jim Pingle over 9 years ago. Updated over 8 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
Jim Pingle
Category:
Traffic Shaper (Limiters)
Target version:
-
Start date:
02/10/2016
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

On firewall_shaper_vinterface.php and firewall_shaper_layer7.php many parameters are printed without escaping. Notably the "newname" parameter on limiters and "container" on Layer 7, though others are affected. Lumping these into one ticket because they share a common backend in shaper.inc on 2.2.x.

Input validation prevents the bad values from being stored, but the invalid values are echoed back to the user without encoding.

2.3 is not affected by any of these (Especially the L7 one which has been removed).

Actions
Copy link
 #1

Updated by Jim Pingle over 9 years ago

  • Status changed from Assigned to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #2

Updated by Jim Pingle over 9 years ago

  • Status changed from Feedback to Resolved

Additional feedback from the original reporter confirms the internal testing results that this has been fixed.

Actions
Copy link
 #3

Updated by Jim Pingle over 8 years ago

  • Private changed from Yes to No
Actions
Copy link

Also available in: Atom PDF