[Bug 450484] New: [RC 1.2] Some parts of installation do not escape HTML in proposals, code is then executed
https://bugzilla.novell.com/show_bug.cgi?id=450484 Summary: [RC 1.2] Some parts of installation do not escape HTML in proposals, code is then executed Product: openSUSE 11.1 Version: RC 1 Platform: Other OS/Version: Other Status: NEW Severity: Minor Priority: P5 - None Component: YaST2 AssignedTo: jsuchome@novell.com ReportedBy: locilka@novell.com QAContact: jsrain@novell.com CC: coolo@novell.com Found By: --- Created an attachment (id=256958) --> (https://bugzilla.novell.com/attachment.cgi?id=256958) Screenshot - proposal First place I found are Users in first stage. You can enter HTML as the user name and it's then processed as HTML later in proposal. Even if it doesn't make sense for users to try to self-break their system anyhow and even if HTML in user name doesn't make sense at all, it raises a question how other parts of the system are protected and thus makes the system to be seen less reliable than it actually is. Never trust user input is the rule number one ;) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=450484
User locilka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=450484#c1
--- Comment #1 from Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=450484
User locilka@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=450484#c2
--- Comment #2 from Lukas Ocilka
https://bugzilla.novell.com/show_bug.cgi?id=450484
User jsuchome@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=450484#c3
Jiří Suchomel
Never trust user input is the rule number one ;)
That would be a bad rule. The linux system is actually very unsecure: imagine, that a user with administrator's rights can do anything to it! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=450484
Jiří Suchomel
participants (1)
-
bugzilla_noreply@novell.com