Fixes an XSS issue with unescaped node names. (#3578)

* Fixes an XSS issue with node names in the tomography graph.

* Updates built-in static web assets.

* Updates the change log.
pull/3582/head
James Phillips 2017-10-16 09:12:36 -07:00 committed by GitHub
parent d5b945ccee
commit f25c66dfd9
3 changed files with 38 additions and 34 deletions

View File

@ -1,5 +1,9 @@
## 1.0.0 (UNRELEASED)
SECURITY:
* Fixed an XSS issue with Consul's built-in web UI where node names were not being properly escaped. [[GH-3578](https://github.com/hashicorp/consul/issues/3578)]
BREAKING CHANGES:
* **Raft Protocol Now Defaults to 3:** The [`-raft-protocol`](https://www.consul.io/docs/agent/options.html#_raft_protocol) default has been changed from 2 to 3, enabling all [Autopilot](https://www.consul.io/docs/guides/autopilot.html) features by default. Version 3 requires Consul running 0.8.0 or newer on all servers in order to work, so if you are upgrading with older servers in a cluster then you will need to set this back to 2 in order to upgrade. See [Raft Protocol Version Compatibility](https://www.consul.io/docs/upgrade-specific.html#raft-protocol-version-compatibility) for more details. Also the format of `peers.json` used for outage recovery is different when running with the lastest Raft protocol. See [Manual Recovery Using peers.json](https://www.consul.io/docs/guides/outage.html#manual-recovery-using-peers-json) for a description of the required format. [[GH-3477](https://github.com/hashicorp/consul/issues/3477)]

File diff suppressed because one or more lines are too long

View File

@ -105,7 +105,7 @@ function tomographyMouseOver(el) {
if (segment !== "") {
buf += ' (Segment: ' + segment + ')';
}
document.getElementById('tomography-node-info').innerHTML = buf;
document.getElementById('tomography-node-info').textContent = buf;
}
@ -151,7 +151,7 @@ Ember.Handlebars.helper('tomographyGraph', function(tomography, size) {
}
distances.forEach(function (d, i) {
buf += ' <line transform="rotate(' + (i * 360 / n) + ')" y2="' + (-insetSize * (d.distance / max)) + '" ' +
'data-node="' + d.node + '" data-distance="' + d.distance + '" data-segment="' + d.segment + '" onmouseover="tomographyMouseOver(this);"/>';
'data-node="' + Handlebars.Utils.escapeExpression(d.node) + '" data-distance="' + d.distance + '" data-segment="' + Handlebars.Utils.escapeExpression(d.segment) + '" onmouseover="tomographyMouseOver(this);"/>';
});
buf += '' +
' </g>' +