Bug 43054 - unsecure remote resource loading in css
unsecure remote resource loading in css
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-4-errata
Assigned To: Jürn Brodersen
Alexander Kläser
:
Depends on:
Blocks: 43055
  Show dependency treegraph
 
Reported: 2016-11-25 13:30 CET by Nico Stöckigt
Modified: 2016-12-01 16:27 CET (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2016112521000141
Bug group (optional): Security
Max CVSS v3 score:


Attachments
Patchfile for the umc.css (580 bytes, patch)
2016-11-25 13:30 CET, Nico Stöckigt
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2016-11-25 13:30:56 CET
Created attachment 8243 [details]
Patchfile for the umc.css

In file /usr/share/univention-management-console-frontend/js/dijit/themes/umc/umc.css line 10692 there is a css backround attribute which loads an image from demo.univention.de which is used for statistics. Unfortunately this image is loaded via http instead https so it will break the secure context of the website.

Attached there is a Patchfile to correct that behavior in a productive environment.
Comment 1 Florian Best univentionstaff 2016-11-25 13:58:59 CET
I already created a bug for this somewhen but can't find it. It is wrong that we use demo.univention.de at all. The image should be the local file. It was a typo during development svn r68703 / Bug #38622.
Comment 2 Jürn Brodersen univentionstaff 2016-11-30 15:44:31 CET
r74836: Use local resource for mobile menu background image
Package: univention-management-console-frontend-theme
Version: 1.0.4-9.119.201611301539
Branch: ucs_4.1-0
Scope: errata4.1-4

r74838: yaml
Comment 3 Florian Best univentionstaff 2016-11-30 15:50:21 CET
Please merge to UCS 4.2.
The package changed to univention-web.
Comment 4 Jürn Brodersen univentionstaff 2016-11-30 16:03:21 CET
(In reply to Florian Best from comment #3)
> Please merge to UCS 4.2.
> The package changed to univention-web.

r74841
Comment 5 Florian Best univentionstaff 2016-11-30 16:06:08 CET
(In reply to Florian Best from comment #1)
> I already created a bug for this somewhen but can't find it. It is wrong
> that we use demo.univention.de at all. The image should be the local file.
> It was a typo during development svn r68703 / Bug #38622.

Ahh, I already fixed this in UCS 4.2 during Bug #42228 in svn r72272.
Comment 6 Jürn Brodersen univentionstaff 2016-11-30 16:14:25 CET
(In reply to Florian Best from comment #5)
> (In reply to Florian Best from comment #1)
> > I already created a bug for this somewhen but can't find it. It is wrong
> > that we use demo.univention.de at all. The image should be the local file.
> > It was a typo during development svn r68703 / Bug #38622.
> 
> Ahh, I already fixed this in UCS 4.2 during Bug #42228 in svn r72272.

For UCS 4.2:
All other images use relative url (at least in this file). This one is now relative, too.
r74842: Better changelog entry
Comment 7 Alexander Kläser univentionstaff 2016-11-30 19:22:19 CET
Change: OK.
YAML file: OK.
Merge to 4.2-0: OK

→ VERIFIED
Comment 8 Janek Walkenhorst univentionstaff 2016-12-01 16:27:15 CET
<http://errata.software-univention.de/ucs/4.1/350.html>