Page MenuHomePhabricator
Files F25713771

Special:NovaSudoer XSS
No One
Actions

Authored By
Bawolff
Sep 8 2018, 5:06 PM
Size
1 KB
Referenced Files
None
Subscribers
None

Special:NovaSudoer XSS
View Options

From 7fc78b686dbe6951ec04bc49203b9dfeb8199b1b Mon Sep 17 00:00:00 2001
From: Brian Wolff <bawolff+wn@gmail.com>
Date: Sat, 8 Sep 2018 17:02:26 +0000
Subject: [PATCH] SECURITY: Escape usernames on Special:NovaSudoer
Additionally fix incorrect syntax for the defaults option.
It is unclear to me how exploitable this is, as I'm not sure
if usernames/servicenames are ever allowed to have < or > in them.
Discovered by phan-taint-check
Bug: T203885
Change-Id: Idea8edc09805675d53e8397ea0fa3128f164e111
---
special/SpecialNovaSudoer.php | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/special/SpecialNovaSudoer.php b/special/SpecialNovaSudoer.php
index 290b02a..9163828 100644
--- a/special/SpecialNovaSudoer.php
+++ b/special/SpecialNovaSudoer.php
@@ -295,24 +295,24 @@ class SpecialNovaSudoer extends SpecialNova {
# Add the 'all project members' option to the top
$projectGroup = "%" . $project->getProjectGroupName();
$all_members = $this->msg( 'openstackmanager-allmembers' )->text();
- $user_keys[$all_members] = $all_members;
+ $user_keys[htmlspecialchars( $all_members )] = $all_members;
if ( in_array( 'ALL', $sudomembers ) || in_array( $projectGroup, $sudomembers ) ) {
- $user_defaults[$all_members] = $all_members;
+ $user_defaults[] = $all_members;
}
foreach ( $projectuids as $userUid ) {
$projectmember = $project->memberForUid( $userUid );
- $user_keys[$projectmember] = $userUid;
+ $user_keys[htmlspecialchars( $projectmember )] = $userUid;
if ( in_array( $userUid, $sudomembers ) ) {
- $user_defaults[$projectmember] = $userUid;
+ $user_defaults[] = $userUid;
}
}
foreach ( $projectserviceusers as $serviceuser ) {
- $user_keys[$serviceuser] = $serviceuser;
+ $user_keys[htmlspecialchars( $serviceuser )] = $serviceuser;
if ( in_array( $serviceuser, $sudomembers ) ) {
- $user_defaults[$serviceuser] = $serviceuser;
+ $user_defaults[] = $serviceuser;
}
}
--
2.8.1

File Metadata

Mime Type
text/x-diff
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
6389008
Default Alt Text
Special:NovaSudoer XSS (1 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits