Project

General

Profile

Actions
Copy link

Bug #12697

closed

Insufficient validation for smart proxy URL

Added by Daniel Lobato Garcia over 8 years ago. Updated over 8 years ago.

Status:
Duplicate
Priority:
Normal
Assignee:
Daniel Lobato Garcia
Category:
-
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Problem: The regex that validates smart proxies URLs only matches 'beginning of text'. This allows us to add just \n after a valid URL and put anything after it. For instance, javascript:alert('hacked'). I haven't found any link to the Foreman proxy URL so the script would not trigger, but if we were to put link_to @smart_proxy.url somewhere (or a plugin did this) it would be unsafe.

Solution: Make the regex match the end of the URL.

Related issues 1 (0 open1 closed)

Is duplicate of Foreman - Bug #12698: Insufficient URL validation for smart proxy and mediumClosedDaniel Lobato Garcia12/04/2015Actions
Actions
Copy link
 #1

Updated by Dominic Cleal over 8 years ago

  • Is duplicate of Bug #12698: Insufficient URL validation for smart proxy and medium added
Actions
Copy link
 #2

Updated by Dominic Cleal over 8 years ago

  • Status changed from New to Duplicate
Actions
Copy link

Also available in: Atom PDF