Einav Cohen has submitted this change and it was merged. Change subject: core: Avoid XSS in RedirectServlet ......................................................................
core: Avoid XSS in RedirectServlet Currently the RedirectServlet composes JavaScript code to show error messages using text provided by the user in a request parameter. This text isn't sanitized and thus can be used by maliciuous users to execute arbitrary JavaScript code. To avoid this situation this patch changes the servlet so that it doesn't receive any parameter, thus the problem is completely avoided. Signed-off-by: Alexander Wels <aw...@redhat.com> Signed-off-by: Juan Hernandez <juan.hernan...@redhat.com> Change-Id: Ie77e6a063e1522b2e108076a240939ca1dae272e --- D backend/manager/modules/root/src/main/java/org/ovirt/engine/core/redirect/RedirectServlet.java A backend/manager/modules/root/src/main/java/org/ovirt/engine/core/redirect/ReportsRedirectServlet.java M backend/manager/modules/root/src/main/webapp/WEB-INF/web.xml M packaging/branding/ovirt.brand/welcome_page.template 4 files changed, 48 insertions(+), 112 deletions(-) Approvals: Einav Cohen: Verified; Looks good to me, approved -- To view, visit http://gerrit.ovirt.org/19152 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie77e6a063e1522b2e108076a240939ca1dae272e Gerrit-PatchSet: 4 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alexander Wels <aw...@redhat.com> Gerrit-Reviewer: Alexander Wels <aw...@redhat.com> Gerrit-Reviewer: Einav Cohen <eco...@redhat.com> Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Ofer Schreiber <oschr...@redhat.com> Gerrit-Reviewer: oVirt Jenkins CI Server _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
