root
/
rabbitmq-server
mirror of https://github.com/rabbitmq/rabbitmq-server.git
1
0
Fork 0
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Correctly escape cluster name and user name (and version strings, which I don't think are conceivably exploitable but since we're here...)

This commit is contained in:
Simon MacMullen 2015-01-06 12:34:57 +00:00
parent 7c5e8aa5b6
commit 8566771371
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
deps/rabbitmq_management/priv/www/js/global.js vendored
View File

@ -166,14 +166,14 @@ function setup_global_vars() {
user_administrator = jQuery.inArray("administrator", user_tags) != -1; user_administrator = jQuery.inArray("administrator", user_tags) != -1;
user_monitor = jQuery.inArray("monitoring", user_tags) != -1; user_monitor = jQuery.inArray("monitoring", user_tags) != -1;
replace_content('login-details', replace_content('login-details',
'<p>User: <b>' + user.name + '</b></p>' + '<p>User: <b>' + fmt_escape_html(user.name) + '</b></p>' +
'<p>Cluster: <b>' + overview.cluster_name + '</b> ' + '<p>Cluster: <b>' + fmt_escape_html(overview.cluster_name) + '</b> ' +
(user_administrator ? (user_administrator ?
'(<a href="#/cluster-name">change</a>)' : '') + '</p>' + '(<a href="#/cluster-name">change</a>)' : '') + '</p>' +
'<p>RabbitMQ ' + overview.rabbitmq_version + '<p>RabbitMQ ' + fmt_escape_html(overview.rabbitmq_version) +
', <acronym class="normal" title="' + ', <acronym class="normal" title="' +
overview.erlang_full_version + '">Erlang ' + fmt_escape_html(overview.erlang_full_version) + '">Erlang ' +
overview.erlang_version + '</acronym></p>'); fmt_escape_html(overview.erlang_version) + '</acronym></p>');
nodes_interesting = false; nodes_interesting = false;
rabbit_versions_interesting = false; rabbit_versions_interesting = false;
if (user_monitor) { if (user_monitor) {