Project

General

Profile

Download (3.38 KB)

Bug #5881 » 0001-fixes-5881-XSS-from-create-update-destroy-notificati.patch

v3 patch against 1.4-stable - Dominic Cleal, 06/17/2014 04:04 PM

View differences:

app/controllers/application_controller.rb
end
def notice notice
flash[:notice] = notice
flash[:notice] = CGI::escapeHTML(notice)
end
def error error
flash[:error] = error
flash[:error] = CGI::escapeHTML(error)
end
def warning warning
flash[:warning] = warning
flash[:warning] = CGI::escapeHTML(warning)
end
# this method is used with nested resources, where obj_id is passed into the parameters hash.
......
hash[:error_msg] = [hash[:error_msg]].flatten
hash[:error_msg] = hash[:error_msg].join("<br/>")
if hash[:render]
flash.now[:error] = hash[:error_msg] unless hash[:error_msg].empty?
flash.now[:error] = CGI::escapeHTML(hash[:error_msg]) unless hash[:error_msg].empty?
render hash[:render]
return
elsif hash[:redirect]
app/controllers/hostgroups_controller.rb
process_error
end
rescue Ancestry::AncestryException
flash[:error] = _("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.label }
process_error
process_error(:error_msg => ("Cannot delete group %{current} because it has nested groups.") % { :current => @hostgroup.label } )
end
end
test/functional/smart_proxies_controller_test.rb
def test_refresh_fail
proxy = smart_proxies(:one)
errors = ActiveModel::Errors.new(Host::Managed.new)
errors.add :base, "Unable to communicate with the proxy: it's down"
errors.add :base, "Unable to communicate with the proxy: it is down"
SmartProxy.any_instance.stubs(:errors).returns(errors)
SmartProxy.any_instance.stubs(:associate_features).returns(true)
post :refresh, {:id => proxy}, set_session_user
assert_redirected_to smart_proxies_url
assert_equal "Unable to communicate with the proxy: it's down", flash[:error]
assert_equal "Unable to communicate with the proxy: it is down", flash[:error]
end
end
(4-4/4)