fix(conf): protect hostname resolver from XSS #7043

vhr · 2018-12-12T07:06:24Z

Resolve MON-3228

kduret · 2018-12-12T07:34:56Z

www/include/configuration/configObject/host/resolveHostName.php

+    array('&lt;', '&gt;'),
+    $_GET['hostName']
+);
+echo gethostbyname($hostName);


should not be better echo htmlentities(gethostbyname($hostName)); ?

If we do that the result will be:

I propose to strip the tags and remove all chars that are not compatible with the hostname.

Resolve MON-3228

sc979 · 2018-12-28T08:34:08Z

QA validationfailed :'(

Resolve MON-3228

fix(conf): protect hostname resolver from XSS

b960d06

Resolve MON-3228

vhr added the area/configuration label Dec 12, 2018

vhr requested review from miteto, callapa, lpinsivy, leoncx, kduret, victorvassilev and sc979 December 12, 2018 07:06

kduret reviewed Dec 12, 2018

View reviewed changes

kduret approved these changes Dec 12, 2018

View reviewed changes

sc979 approved these changes Dec 14, 2018

View reviewed changes

fix(config): escape IP column in list too

5c94505

Resolve MON-3228

lpinsivy added kind/bug kind/security labels Dec 21, 2018

fix(mon): prevent showing of html tags in host.host_address column

31c9f54

Resolve MON-3228

kduret approved these changes Jan 3, 2019

View reviewed changes

sc979 approved these changes Jan 3, 2019

View reviewed changes

vhr merged commit 05b7590 into 2.8.x Jan 9, 2019

vhr deleted the MON-3228-xss-hostname-resolver branch January 9, 2019 14:54

Provide feedback