[Bug 11322] New: Suggestion "notes" field should be sanitized or escaped
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Bug ID: 11322 Summary: Suggestion "notes" field should be sanitized or escaped Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: major Priority: P5 - low Component: Acquisitions Assignee: koha-bugs@lists.koha-community.org Reporter: abl@biblos.pk.edu.pl QA Contact: testopia@bugs.koha-community.org It's possible for patron to make purchase suggestion from OPAC with html/javascript code within Notes: field. Such injected JS code will be stored in the database, and in certain circumstances (when managing suggestions in acquisition) it may got subsequently executed in staff WWW browser. Other suggestion fields may be affected as well, but the problem with 'notes' is potentially more severe because it's a long field - more elaborate "evil" script will fit into it. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Jacek Ablewicz <abl@biblos.pk.edu.pl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |abl@biblos.pk.edu.pl -- You are receiving this mail because: You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gmcharlt@gmail.com --- Comment #1 from Galen Charlton <gmcharlt@gmail.com> --- Not just notes -- most of the fields in the suggestion form (except for title) aren't using the Template Toolkit HTML filter. A combination of using C4::Scrubber and the HTML TT filter should provide belts and suspenders. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |chris@bigballofwax.co.nz Severity|major |critical --- Comment #2 from Chris Cormack <chris@bigballofwax.co.nz> --- Working on some patches for this now -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 --- Comment #3 from Chris Cormack <chris@bigballofwax.co.nz> --- Created attachment 23241 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23241&action=edit Bug 11322 : XSS in suggestions To test 1/ Switch on purchase suggestions 2/ On the public interface (OPAC) add a suggestion, put html in every field 3/ In the staff interface go to the suggestions page /cgi-bin/koha/suggestion/suggestion.pl 4/ Notice the html is rendered 5/ Click on a suggestion, notice the html is rendered on the show page also 6/ Apply the patch, check these two pages again, html should now be escaped -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 --- Comment #4 from Chris Cormack <chris@bigballofwax.co.nz> --- Created attachment 23242 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23242&action=edit Bug 11322 : XSS in suggestions - OPAC 1/ Add a suggestion in the opac, with lots of html 2/ View that suggestion in the OPAC, note the html is rendering 3/ Apply the patch 4/ Test again, in prog and bootstrap, no more rendered html -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #23241|0 |1 is obsolete| | --- Comment #5 from David Cook <dcook@prosentient.com.au> --- Created attachment 23243 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23243&action=edit Bug 11322 : XSS in suggestions To test 1/ Switch on purchase suggestions 2/ On the public interface (OPAC) add a suggestion, put html in every field 3/ In the staff interface go to the suggestions page /cgi-bin/koha/suggestion/suggestion.pl 4/ Notice the html is rendered 5/ Click on a suggestion, notice the html is rendered on the show page also 6/ Apply the patch, check these two pages again, html should now be escaped Signed-off-by: David Cook <dcook@prosentient.com.au> Works as described. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Chris Cormack <chris@bigballofwax.co.nz> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |Needs Signoff Patch complexity|--- |Trivial patch -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 --- Comment #6 from Chris Cormack <chris@bigballofwax.co.nz> --- Created attachment 23244 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23244&action=edit Bug 11322 : XSS - Scrub bad data before storing suggestions in the db 1/ In the public interface, add a suggestion containing html 2/ Save, notice the html is rendered (or if you have the other patches is displayed) 3/ Apply this paget 4/ Add another suggestion 5/ Notice the html is stripped -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #23242|0 |1 is obsolete| | --- Comment #7 from David Cook <dcook@prosentient.com.au> --- Created attachment 23245 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23245&action=edit Bug 11322 : XSS in suggestions - OPAC 1/ Add a suggestion in the opac, with lots of html 2/ View that suggestion in the OPAC, note the html is rendering 3/ Apply the patch 4/ Test again, in prog and bootstrap, no more rendered html Signed-off-by: David Cook <dcook@prosentient.com.au> Works as described. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #23244|0 |1 is obsolete| | --- Comment #8 from David Cook <dcook@prosentient.com.au> --- Created attachment 23246 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23246&action=edit Bug 11322 : XSS - Scrub bad data before storing suggestions in the db 1/ In the public interface, add a suggestion containing html 2/ Save, notice the html is rendered (or if you have the other patches is displayed) 3/ Apply this paget 4/ Add another suggestion 5/ Notice the html is stripped Signed-off-by: David Cook <dcook@prosentient.com.au> Works as described. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 David Cook <dcook@prosentient.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Needs Signoff |Signed Off CC| |dcook@prosentient.com.au -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 --- Comment #9 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 23247 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23247&action=edit [PASSED QA] Bug 11322 : XSS in suggestions To test 1/ Switch on purchase suggestions 2/ On the public interface (OPAC) add a suggestion, put html in every field 3/ In the staff interface go to the suggestions page /cgi-bin/koha/suggestion/suggestion.pl 4/ Notice the html is rendered 5/ Click on a suggestion, notice the html is rendered on the show page also 6/ Apply the patch, check these two pages again, html should now be escaped Signed-off-by: David Cook <dcook@prosentient.com.au> Works as described. Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> Passes all tests, thx Chris! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 --- Comment #10 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 23248 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23248&action=edit [PASSED QA] Bug 11322 : XSS in suggestions - OPAC 1/ Add a suggestion in the opac, with lots of html 2/ View that suggestion in the OPAC, note the html is rendering 3/ Apply the patch 4/ Test again, in prog and bootstrap, no more rendered html Signed-off-by: David Cook <dcook@prosentient.com.au> Works as described. Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 --- Comment #11 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- Created attachment 23249 --> http://bugs.koha-community.org/bugzilla3/attachment.cgi?id=23249&action=edit [PASSED QA] Bug 11322 : XSS - Scrub bad data before storing suggestions in the db 1/ In the public interface, add a suggestion containing html 2/ Save, notice the html is rendered (or if you have the other patches is displayed) 3/ Apply this paget 4/ Add another suggestion 5/ Notice the html is stripped Signed-off-by: David Cook <dcook@prosentient.com.au> Works as described. Signed-off-by: Katrin Fischer <Katrin.Fischer.83@web.de> -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Signed Off |Passed QA CC| |katrin.fischer@bsz-bw.de Patch complexity|Trivial patch |Small patch -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #23243|0 |1 is obsolete| | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #23245|0 |1 is obsolete| | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Katrin Fischer <katrin.fischer@bsz-bw.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #23246|0 |1 is obsolete| | -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Galen Charlton <gmcharlt@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Passed QA |Pushed to Master --- Comment #12 from Galen Charlton <gmcharlt@gmail.com> --- Pushed to master. Thanks, Chris! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 --- Comment #13 from Jacek Ablewicz <abl@biblos.pk.edu.pl> --- Works as described for me too, thanks! On related subject, I think we may have some similiar problems with patron-submitted data in other places as well, e.g.: as a test I just submitted "personal data" update request from OPAC via opac/opac-memberentry.pl, with JS code in 'Address 2' field, and injected script seems to work in members/members-update.pl. But I guess it would be better to assign separate bug numbers for such further issues (if any)? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 --- Comment #14 from Chris Cormack <chris@bigballofwax.co.nz> --- (In reply to Jacek Ablewicz from comment #13)
Works as described for me too, thanks!
On related subject, I think we may have some similiar problems with patron-submitted data in other places as well, e.g.: as a test I just submitted "personal data" update request from OPAC via opac/opac-memberentry.pl, with JS code in 'Address 2' field, and injected script seems to work in members/members-update.pl. But I guess it would be better to assign separate bug numbers for such further issues (if any)?
Yep new bug on any others you find, i checked reviews/comments and tags, they are ok. But im prepared to believe member update isn't. At least with that you have to be logged in, so not quite as bad as the suggestions (which could be done without login if the syspref was set that way) -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Fridolin SOMERS <fridolyn.somers@biblibre.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to Master |Pushed to Stable CC| |fridolyn.somers@biblibre.co | |m --- Comment #15 from Fridolin SOMERS <fridolyn.somers@biblibre.com> --- Those patches has been pushed to 3.14.x, will be in 3.14.1 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11322 Tomás Cohen Arazi <tomascohen@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tomascohen@gmail.com --- Comment #16 from Tomás Cohen Arazi <tomascohen@gmail.com> --- This patch has been pushed to 3.12.x, will be in 3.12.8. Thanks Chris! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org