From 142b30628d32bc0d1d060991945f30f1758d72e9 Mon Sep 17 00:00:00 2001
From: Maximilien Bersoult <mbersoult@centreon.com>
Date: Wed, 2 May 2018 09:47:25 +0200
Subject: [PATCH] fix(sec): Fix XSS security on menu username
* Fix xss security when display username on menu
---
www/include/core/menu/menu.php | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/www/include/core/menu/menu.php b/www/include/core/menu/menu.php
index a9cb3c5a03..e3bdfc1681 100644
--- a/www/include/core/menu/menu.php
+++ b/www/include/core/menu/menu.php
@@ -102,7 +102,7 @@ $tpl->assign("date_time_format_status", _("d/m/Y H:i:s"));
/*
* Display Login
*/
-$tpl->assign("user_login", $centreon->user->get_alias());
+$tpl->assign("user_login", htmlentities($centreon->user->get_alias()));
/*
* Fixe ACL
@@ -153,7 +153,7 @@ if (isset($centreon->optGen["display_autologin_shortcut"])) {
$autoLoginUrl .= "?p=".$root_menu["topology_page"];
}
$autoLoginUrl .= "&autologin=1&useralias=$userAlias&token=".$centreon->user->getToken();
-
+
$prefix = '';
if (!strncmp($_SERVER["SERVER_PROTOCOL"], "HTTP/", 5)) {
$prefix .= "http://";
@@ -180,7 +180,7 @@ $firstP = null;
$sep = " ";
for ($i = 0; $DBRESULT->numRows() && ($elem = $DBRESULT->fetchRow()); $i++) {
$firstP ? null : $firstP = $elem["topology_page"];
-
+
$pageAccess = $centreon->user->access->page($elem["topology_page"]);
if (($pageAccess == "1") || ($pageAccess == "2")) {
$elemArr[2][$i] = array("Menu2Sep" => $sep,
@@ -295,7 +295,7 @@ if ($is_admin) {
$tab_user_non_admin[$session["user_id"]] = array("ip"=>$session["ip_address"], "id"=>$session["user_id"], "alias"=>$session["contact_alias"], "admin"=>$session["contact_admin"]);
}
}
-
+
$tab_user = array_merge($tab_user_admin, $tab_user_non_admin);
unset($tab_user_admin);
unset($tab_user_non_admin);
--
GitLab