From f4bf464643fef326d6b2c0233eee0a95b0a26d98 Mon Sep 17 00:00:00 2001 From: Maximilien Bersoult <mbersoult@centreon.com> Date: Wed, 2 May 2018 10:34:38 +0200 Subject: [PATCH] fix(sec): Fix XSS on command form * Fix XSS for describe arguments and macros --- www/class/centreonCommand.class.php | 2 +- .../configuration/configObject/command/formArguments.php | 5 +++-- .../configObject/command/javascript/commandJs.php | 8 ++++---- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/www/class/centreonCommand.class.php b/www/class/centreonCommand.class.php index 7d57c968a1..9a0f8b9eb5 100755 --- a/www/class/centreonCommand.class.php +++ b/www/class/centreonCommand.class.php @@ -253,7 +253,7 @@ class CentreonCommand while ($row = $dbResult->fetchRow()) { $arr['id'] = $row['command_macro_id']; $arr['name'] = $row['command_macro_name']; - $arr['description'] = $row['command_macro_desciption']; + $arr['description'] = htmlentities($row['command_macro_desciption']); $arr['type'] = $sType; $aReturn[] = $arr; } diff --git a/www/include/configuration/configObject/command/formArguments.php b/www/include/configuration/configObject/command/formArguments.php index e806354fe3..1ba317b4f2 100644 --- a/www/include/configuration/configObject/command/formArguments.php +++ b/www/include/configuration/configObject/command/formArguments.php @@ -62,12 +62,13 @@ if (isset($_GET['cmd_line']) && $_GET['cmd_line']) { } if (isset($_GET['textArea']) && $_GET['textArea']) { - $tab = preg_split("/\;\;\;/", $_GET['textArea']); + $textArea = urldecode($_GET['textArea']); + $tab = preg_split("/\;\;\;/", $textArea); foreach ($tab as $key => $value) { $tab2 = preg_split("/\ \:\ /", $value, 2); $index = str_replace("ARG", "", $tab2[0]); if (isset($tab2[0]) && $tab2[0]) { - $args[$index] = $tab2[1]; + $args[$index] = htmlentities($tab2[1]); } } } diff --git a/www/include/configuration/configObject/command/javascript/commandJs.php b/www/include/configuration/configObject/command/javascript/commandJs.php index c25034c479..df61a49c08 100644 --- a/www/include/configuration/configObject/command/javascript/commandJs.php +++ b/www/include/configuration/configObject/command/javascript/commandJs.php @@ -45,7 +45,7 @@ function goPopup() { listArea = document.getElementById('listOfArg'); tmpStr = listArea.value; - tmpStr = tmpStr.replace(reg, ";;;"); + tmpStr = encodeURIComponent(tmpStr.replace(reg, ";;;")); cmd_line = document.getElementById('command_line').value; Modalbox.show('./include/configuration/configObject/command/formArguments.php?cmd_line=' + cmd_line + '&textArea=' + tmpStr, {title: 'Argument description', width:800}); @@ -101,10 +101,10 @@ function setMacrosDescriptions() { } tmpStr2 += "MACRO ("+ type +") "+ document.getElementById('macro_'+i).value + " : " + document.getElementById('desc_'+i).value + "\n"; } - + listArea.cols= 100; listArea.rows= i; - + listArea.value = tmpStr2; listDiv.style.visibility = "visible"; Modalbox.hide(); @@ -139,4 +139,4 @@ function checkType(value) { jQuery('form#Form').attr('action', action); } -</script> \ No newline at end of file +</script> -- GitLab