CVE-2019-25095: Protect against XSS vulnerabilities in URL redirection by jthiltges · Pull Request #16 · kakwa/ldapcherry

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation

• Switch from base64 to URL encoding for the passing the URL, using the built-in Mako filtering
• Apply HTML filtering to Mako output by default
• Disable HTML filtering for nested templates in adduser, modify, and selfmodify

- Switch from base64 to URL encoding for the passing the URL, using the built-in Mako filtering

• Apply HTML filtering to Mako output by default
• Disable HTML filtering for nested templates in adduser, modify, and selfmodify

Coverage remained the same at ?% when pulling 6f98076 on jthiltges:escape into 1ed654c on kakwa:master.

Copy link

Owner

****kakwa** commented Jan 2, 2019**

Thank you for reporting.

I completely missed this redirect as an untrusted user input. Thank you for the fix.

I do test against a list of “naughty” strings (

def testNaughtyStrings(self):

) but it proved to be not enough.

And thank you for the overall improvements using the mako escaping, this will help greatly to reduce the risk of content injection, adding a layer of protection.

Thanks so much for your help and the prompt merge!

Copy link

Owner

****kakwa** commented Jan 3, 2019**

Copy link

Contributor Author

****jthiltges** commented Jan 3, 2019 •**

I’m updating our install and just noticed an issue with escaping on the selfmodify and modify pages. Sorry about that. I’ll get a new PR opened shortly.

  <select class="form-control" id="attr.shell" name="attr.shell">
        &lt;option&gt;/bin/bash&lt;/option&gt;
        <option>/bin/tcsh</option>
  </select>