Change in ovirt-engine[engine_3.2]: core: Avoid XSS in RedirectServlet
oschreib at redhat.com
oschreib at redhat.com
Thu Sep 12 08:13:38 UTC 2013
Ofer Schreiber has submitted this change and it was merged.
Change subject: core: Avoid XSS in RedirectServlet
......................................................................
core: Avoid XSS in RedirectServlet
Currently the RedirectServlet composes JavaScript code to show error
messages using text provided by the user in a request parameter. This
text isn't sanitized and thus can be used by maliciuous users to execute
arbitrary JavaScript code. To avoid this situation this patch changes
the servlet so that it doesn't receive any parameter, thus the problem
is completely avoided.
Change-Id: Ie77e6a063e1522b2e108076a240939ca1dae272e
Signed-off-by: Juan Hernandez <juan.hernandez at redhat.com>
---
M backend/manager/modules/root/src/main/webapp/index.html
D frontend/wars/rmw-war/src/main/java/org/ovirt/engine/core/redirect/RedirectServlet.java
A frontend/wars/rmw-war/src/main/java/org/ovirt/engine/core/redirect/ReportsRedirectServlet.java
M frontend/wars/rmw-war/src/main/webapp/WEB-INF/web.xml
4 files changed, 47 insertions(+), 115 deletions(-)
Approvals:
Juan Hernandez: Looks good to me, but someone else must approve
Alexander Wels: Verified
Ofer Schreiber: Verified; Looks good to me, approved
--
To view, visit http://gerrit.ovirt.org/19153
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: Ie77e6a063e1522b2e108076a240939ca1dae272e
Gerrit-PatchSet: 2
Gerrit-Project: ovirt-engine
Gerrit-Branch: engine_3.2
Gerrit-Owner: Alexander Wels <awels at redhat.com>
Gerrit-Reviewer: Alexander Wels <awels at redhat.com>
Gerrit-Reviewer: Einav Cohen <ecohen at redhat.com>
Gerrit-Reviewer: Juan Hernandez <juan.hernandez at redhat.com>
Gerrit-Reviewer: Ofer Schreiber <oschreib at redhat.com>
More information about the Engine-commits
mailing list