View Issue Details

IDProjectCategoryView StatusLast Update
0013228Tine 2.0Addressbookpublic2017-09-11 13:34
ReporterSOWIWASAssigned Tomspahn 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2017.02.4 Community Edition 
Target Version2016.11.9dev1 Egon BE DevelopFixed in Version2016.11.9dev1 Egon BE Develop 
Summary0013228: CVE-2017-1000164: Unescaped values for displayed name and company
DescriptionAt least in the addressbook overview there are 3 possible ways to inject html. This should probably be checked on more fields or displays.
Steps To ReproduceCreate a new address entry:

 First Name: <a href="">foo</a>
 Last Name: <a href="">bar</a>
 Company: <a href="">baz</a>

All those entries are visible in the ContactGridDetailsPanel and in the Grid only Company is escaped.
TagsNo tags attached.
mwticket

Activities

mspahn

mspahn

2017-06-19 12:28

administrator   ~0020356

http://gerrit.tine20.com/customers/#/c/4893/
mspahn

mspahn

2017-06-20 12:58

administrator  

0001-0013228-Unescaped-values-for-displayed-name-and-comp.patch (3,061 bytes)
From 84f6886399fc2c68ca8bcc8b20ff1c7a6758d4f8 Mon Sep 17 00:00:00 2001
From: Michael Spahn <m.spahn@metaways.de>
Date: Mon, 19 Jun 2017 12:26:33 +0200
Subject: [PATCH] 0013228: Unescaped values for displayed name and company

https://forge.tine20.org/view.php?id=13228

Change-Id: I93e4c9dd72ed3e1cc9f79949e57349b7e27b8bdd
Reviewed-on: http://gerrit.tine20.com/customers/4893
Reviewed-by: Michael Spahn <m.spahn@metaways.de>
Tested-by: Michael Spahn <m.spahn@metaways.de>
---
 tine20/Addressbook/js/ContactGrid.js                     | 2 +-
 tine20/Addressbook/js/ContactGridDetailsPanel.js         | 2 +-
 tine20/Tinebase/js/widgets/display/RecordDisplayPanel.js | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tine20/Addressbook/js/ContactGrid.js b/tine20/Addressbook/js/ContactGrid.js
index f8f1148bba..87f880c64e 100644
--- a/tine20/Addressbook/js/ContactGrid.js
+++ b/tine20/Addressbook/js/ContactGrid.js
@@ -166,7 +166,7 @@ Tine.Addressbook.ContactGridPanel.contactTypeRenderer = function(data, cell, rec
 
 Tine.Addressbook.ContactGridPanel.displayNameRenderer = function(data) {
     var i18n = Tine.Tinebase.appMgr.get('Addressbook').i18n;
-    return data ? data : ('<div class="renderer_displayNameRenderer_noName">' + i18n._('No name') + '</div>');
+    return data ?  Tine.Tinebase.EncodingHelper.encode(data) : ('<div class="renderer_displayNameRenderer_noName">' + i18n._('No name') + '</div>');
 };
 
 Tine.Addressbook.ContactGridPanel.countryRenderer = function(data) {
diff --git a/tine20/Addressbook/js/ContactGridDetailsPanel.js b/tine20/Addressbook/js/ContactGridDetailsPanel.js
index 1f770cb9f8..82389ecc34 100644
--- a/tine20/Addressbook/js/ContactGridDetailsPanel.js
+++ b/tine20/Addressbook/js/ContactGridDetailsPanel.js
@@ -87,7 +87,7 @@ Tine.Addressbook.ContactGridDetailsPanel = Ext.extend(Tine.widgets.grid.DetailsP
                                         hideLabel: true,
                                         htmlEncode: false,
                                         renderer: function(value) {
-                                            return '<b>' + value + '</b>';
+                                            return '<b>' +  Tine.Tinebase.EncodingHelper.encode(value) + '</b>';
                                         }
                                     }, {
                                         xtype: 'ux.displayfield',
diff --git a/tine20/Tinebase/js/widgets/display/RecordDisplayPanel.js b/tine20/Tinebase/js/widgets/display/RecordDisplayPanel.js
index 8be3213e4a..1ff6cfaa80 100644
--- a/tine20/Tinebase/js/widgets/display/RecordDisplayPanel.js
+++ b/tine20/Tinebase/js/widgets/display/RecordDisplayPanel.js
@@ -178,7 +178,7 @@ Tine.widgets.display.RecordDisplayPanel = Ext.extend(Ext.ux.display.DisplayPanel
     },
 
     titleRenderer: function(title) {
-        return this.record ? this.record.getTitle() : title;
+        return this.record ? Tine.Tinebase.EncodingHelper.encode(this.record.getTitle()) : Tine.Tinebase.EncodingHelper.encode(title);
     }
 });
 
-- 
2.13.1

Issue History

Date Modified Username Field Change
2017-06-16 19:04 SOWIWAS New Issue
2017-06-19 11:57 mspahn Assigned To => mspahn
2017-06-19 12:28 mspahn Status new => gerrit
2017-06-19 12:28 mspahn Note Added: 0020356
2017-06-19 15:47 mspahn Status gerrit => resolved
2017-06-19 15:47 mspahn Resolution open => fixed
2017-06-19 15:47 mspahn Fixed in Version => 2016.11.9dev1 Egon BE Develop
2017-06-20 11:30 pschuele Target Version => 2016.11.9dev1 Egon BE Develop
2017-06-20 12:37 mspahn View Status private => public
2017-06-20 12:58 mspahn File Added: 0001-0013228-Unescaped-values-for-displayed-name-and-comp.patch
2017-09-11 13:34 mspahn Summary Unescaped values for displayed name and company => CVE-2017-1000164: Unescaped values for displayed name and company