Univention Bugzilla – Full Text Bug Listing |
Summary: | unsecure remote resource loading in css | ||
---|---|---|---|
Product: | UCS | Reporter: | Nico Stöckigt <stoeckigt> |
Component: | UMC (Generic) | Assignee: | Jürn Brodersen <brodersen> |
Status: | CLOSED FIXED | QA Contact: | Alexander Kläser <klaeser> |
Severity: | normal | ||
Priority: | P5 | CC: | best, brodersen |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-4-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2016112521000141 | Bug group (optional): | Security |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 43055 | ||
Attachments: | Patchfile for the umc.css |
I already created a bug for this somewhen but can't find it. It is wrong that we use demo.univention.de at all. The image should be the local file. It was a typo during development svn r68703 / Bug #38622. r74836: Use local resource for mobile menu background image Package: univention-management-console-frontend-theme Version: 1.0.4-9.119.201611301539 Branch: ucs_4.1-0 Scope: errata4.1-4 r74838: yaml Please merge to UCS 4.2. The package changed to univention-web. (In reply to Florian Best from comment #3) > Please merge to UCS 4.2. > The package changed to univention-web. r74841 (In reply to Florian Best from comment #1) > I already created a bug for this somewhen but can't find it. It is wrong > that we use demo.univention.de at all. The image should be the local file. > It was a typo during development svn r68703 / Bug #38622. Ahh, I already fixed this in UCS 4.2 during Bug #42228 in svn r72272. (In reply to Florian Best from comment #5) > (In reply to Florian Best from comment #1) > > I already created a bug for this somewhen but can't find it. It is wrong > > that we use demo.univention.de at all. The image should be the local file. > > It was a typo during development svn r68703 / Bug #38622. > > Ahh, I already fixed this in UCS 4.2 during Bug #42228 in svn r72272. For UCS 4.2: All other images use relative url (at least in this file). This one is now relative, too. r74842: Better changelog entry Change: OK. YAML file: OK. Merge to 4.2-0: OK → VERIFIED |
Created attachment 8243 [details] Patchfile for the umc.css In file /usr/share/univention-management-console-frontend/js/dijit/themes/umc/umc.css line 10692 there is a css backround attribute which loads an image from demo.univention.de which is used for statistics. Unfortunately this image is loaded via http instead https so it will break the secure context of the website. Attached there is a Patchfile to correct that behavior in a productive environment.