Skip to content

Commit

Permalink
Sanitize request URLs for the 404 template (bsc#1216754)
Browse files Browse the repository at this point in the history 
(cherry picked from commit 4c68177)
  • Loading branch information
@cbbayburt
cbbayburt committed Dec 13, 2023
1 parent 418b20b commit 808e37b
Show file tree
Hide file tree
Showing 4 changed files with 12 additions and 3 deletions.
8 changes: 6 additions & 2 deletions java/code/src/com/suse/manager/webui/Router.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@

import org.apache.http.HttpStatus;

import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.util.Collections;

import spark.ModelAndView;
Expand Down Expand Up @@ -247,7 +249,8 @@ private void initNotFoundRoutes(JadeTemplateEngine jade) {
if (isJson(response) || isApiRequest(request)) {
return json(response, Collections.singletonMap("message", "404 Not found"));
}
var data = Collections.singletonMap("currentUrl", request.pathInfo());
var data = Collections.singletonMap("currentUrl",
URLEncoder.encode(request.pathInfo(), StandardCharsets.UTF_8));
return jade.render(new ModelAndView(data, "templates/errors/404.jade"));
});

Expand All @@ -257,7 +260,8 @@ private void initNotFoundRoutes(JadeTemplateEngine jade) {
response.body(json(response, Collections.singletonMap("message", "404 Not found")));
}
else {
var data = Collections.singletonMap("currentUrl", request.pathInfo());
var data = Collections.singletonMap("currentUrl",
URLEncoder.encode(request.pathInfo(), StandardCharsets.UTF_8));
response.body(jade.render(new ModelAndView(data, "templates/errors/404.jade")));
}
});
Expand Down
1 change: 1 addition & 0 deletions java/spacewalk-java.changes.cbbayburt.bsc1216754
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- Safeguard request URLs against tempering (bsc#1216754)
5 changes: 4 additions & 1 deletion web/html/src/manager/errors/not-found.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,4 +38,7 @@ const NotFound = ({ currentUrl }) => (
);

export const renderer = (id: string, { currentUrl }) =>
SpaRenderer.renderNavigationReact(<NotFound currentUrl={currentUrl} />, document.getElementById(id));
SpaRenderer.renderNavigationReact(
<NotFound currentUrl={decodeURIComponent(currentUrl)} />,
document.getElementById(id)
);
1 change: 1 addition & 0 deletions web/spacewalk-web.changes.cbbayburt.bsc1216754
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
- Safeguard request URLs against tempering (bsc#1216754)

0 comments on commit 808e37b

Please sign in to comment.