Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve template injection with context name #9650

Closed
asmecher opened this issue Jan 25, 2024 · 8 comments
Closed

Resolve template injection with context name #9650

asmecher opened this issue Jan 25, 2024 · 8 comments
Assignees
@asmecher
Milestone
3.3.0-17

Comments

@asmecher
Copy link
Member

asmecher commented Jan 25, 2024
edited
Loading

Describe the bug
The context name (e.g. journal name in OJS or site name) is susceptible to Vue template injection (e.g. {{ 4*5 }} will present as 20 rather than as a literal string.

After some review, the impact of this issue is fortunately low -- the affected fields are for privileged users, who already (intentionally) have tools to e.g. enter arbitrary Javascript in certain fields. Injectability requires:

  • The content must be inserted into back-end template markup (e.g. using Smarty)
  • The content must not be added to the DOM dynamically, i.e. it must be present in the initial page generation.

We were not able to identify other cases meeting these requirements.

What application are you using?
OJS, OMP or OPS version 3.4.0

Reported by Daniel Barros.
@asmecher asmecher added this to the 3.4.0-5 milestone Jan 25, 2024
asmecher added a commit to asmecher/pkp-lib that referenced this issue Jan 26, 2024
@asmecher
pkp#9650 Fix template injection in context name (stable-3_3_0)
6320766
asmecher added a commit to asmecher/pkp-lib that referenced this issue Jan 26, 2024
@asmecher
pkp#9650 Fix template injection in context name (stable-3_4_0)
e9bb209
asmecher added a commit to asmecher/pkp-lib that referenced this issue Jan 26, 2024
@asmecher
pkp#9650 Fix template injection in context name (main)
19bfa79
asmecher added a commit to asmecher/pkp-lib that referenced this issue Jan 26, 2024
@asmecher
pkp#9650 Fix template injection in context name (main)
d947f9b
asmecher added a commit to asmecher/pkp-lib that referenced this issue Jan 26, 2024
@asmecher
pkp#9650 Fix template injection in context name (stable-3_4_0)
70ee63a
asmecher added a commit to asmecher/pkp-lib that referenced this issue Jan 26, 2024
@asmecher
pkp#9650 Fix template injection in context name (stable-3_3_0)
7cc57af
@asmecher
Copy link
Member Author

PRs:

@asmecher asmecher modified the milestones: 3.4.0-5, 3.3.0-17 Jan 26, 2024
@asmecher
Copy link
Member Author

@jardakotesovec, could you review the PRs? I've tested them here. Thanks!

jardakotesovec added a commit to jardakotesovec/ojs that referenced this issue Feb 8, 2024
@jardakotesovec
pkp/pkp-lib#9650 Submodule update ##jardakotesovec/i9650_3_4_0##
38bcda1
jardakotesovec added a commit to jardakotesovec/pkp-lib that referenced this issue Feb 8, 2024
@jardakotesovec
pkp#9650 Prevent template injection
b354848
jardakotesovec added a commit to jardakotesovec/pkp-lib that referenced this issue Feb 8, 2024
@jardakotesovec
pkp#9650 Prevent template injection
ce7d537
jardakotesovec added a commit to jardakotesovec/ojs that referenced this issue Feb 8, 2024
@jardakotesovec
pkp/pkp-lib#9650 Submodule update ##jardakotesovec/i9650_3_4_0##
acbb601
jardakotesovec added a commit to jardakotesovec/ojs that referenced this issue Feb 8, 2024
@jardakotesovec
pkp/pkp-lib#9650 Submodule update ##jardakotesovec/i9650_3_4_0##
3aed128
@jardakotesovec
Copy link
Contributor

jardakotesovec commented Feb 8, 2024
edited
Loading

3.3
ojs (only tests): pkp/ojs#4181
pkp-lib: #9712
3.4
ojs (only tests): pkp/ojs#4180
pkp-lib: #9711

jardakotesovec added a commit to jardakotesovec/pkp-lib that referenced this issue Feb 8, 2024
@jardakotesovec
pkp#9650 Prevent template injection
4245c78
jardakotesovec added a commit to jardakotesovec/ojs that referenced this issue Feb 8, 2024
@jardakotesovec
pkp/pkp-lib#9650 Submodule update ##jardakotesovec/i9650_3_3_0##
b8c3b63
@jardakotesovec
Copy link
Contributor

@asmecher Tests are passing - for 3.3.0 most of the runs are passing, which I think we consider as pass :-). So feel free to merge these.

asmecher pushed a commit that referenced this issue Feb 8, 2024
@jardakotesovec
#9650 Prevent template injection (#9711)
42de372
@asmecher
Copy link
Member Author

asmecher commented Feb 8, 2024

Sorry for the headache, @jardakotesovec, but could you reformat the stable-3_3_0 changes with tabs instead of spaces? (At some point this will go away!)

jardakotesovec added a commit to jardakotesovec/pkp-lib that referenced this issue Feb 8, 2024
@jardakotesovec
pkp#9650 reformat with tabs
b21e056
jardakotesovec added a commit to jardakotesovec/pkp-lib that referenced this issue Feb 8, 2024
@jardakotesovec
pkp#9650 reformat with tabs
b850b31
jardakotesovec added a commit to jardakotesovec/pkp-lib that referenced this issue Feb 8, 2024
@jardakotesovec
pkp#9650 Prevent template injection
5f18bde
@jardakotesovec
Copy link
Contributor

@asmecher should be better now..

asmecher pushed a commit that referenced this issue Feb 8, 2024
@jardakotesovec @asmecher
#9650 Prevent template injection
e0d0758
@asmecher
Copy link
Member Author

asmecher commented Feb 8, 2024

Thanks! There was an accidental submodule update, but I removed it. I'll file a new issue for main so we don't forget to deal with 3.5.0 and forward.

@asmecher asmecher closed this as completed Feb 8, 2024
@asmecher asmecher mentioned this issue Feb 8, 2024
Closed
@jardakotesovec
Copy link
Contributor

Ops, not sure how that happened. Sorry about that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@asmecher asmecher

Labels
None yet
Projects
None yet
Milestone
3.3.0-17
Development

No branches or pull requests
2 participants
@asmecher @jardakotesovec