Univention Bugzilla – Bug 44498
UMC doesn't escape HTML from dpkg
Last modified: 2021-06-23 07:29:10 CEST
I don't know who is responsible for escaping it (UMC, app center, updater), please adapt component and title accordingly. +++ This bug was initially created as a clone of Bug #44489 +++ While installing univention-spamassassin (as part of the kopano-core installation) the following is logged in umc-module-appcenter.log 27.04.17 14:37:32.575 MODULE ( PROCESS ) : http: GET http://sa-update.secnap.net/1786640.tar.gz request failed: 404 Not Found: <html> <head><title>404 Not Found</title></head> <body bgcolor="white"> <center><h1>404 Not Found</h1></center> <hr><center>nginx/1.6.2</center> </body> </html> As the error from the webpage is html formatted, it was displayed in huge letters in the progress bar. ============================================================== This seems to me like a code injection vector!
Created attachment 8872 [details] patch
This has already been improved in UCS 4.2 but I made the escaping much more explicit and moved it into the ProgressBar widget of univention-web itself. univention-appcenter (6.0.7-14): r79639 | Bug #44498: escape HTML in progressbar messages univention-web (1.0.42-17): r79640 | Bug #44498: escape HTML in progressbar messages univention-appcenter.yaml: r79641 | YAML Bug #44498 univention-web.yaml: r79641 | YAML Bug #44498
OK, works.
Mismatching binary package version: 1.0.42-15A~4.2.0.201705231328 != univention-web-js 1.0.42-17A~4.2.0.201705241252 from univention-web 1.0.42-17A~4.2.0.201705241252
<http://errata.software-univention.de/ucs/4.2/31.html> <http://errata.software-univention.de/ucs/4.2/38.html>