Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-7175

Add whitelist entry for non-HTTP linker advcrm

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Problem description
      As part of fixing a security vulnerability FE-7163: Stored XSS in administrative linker functionality through the href parameter - CVE-2018-20240 (fixed in FishEye 4.7.0) we introduce the file <FISHEYE_HOME>/syntax/url.def to whitelist url definitions. As consequence, some non-http linkers without entry in that file, stopped working in Fisheye/Crucible v 4.7

      Suggestion
      Add more definitions as we encounter more use cases, such as a definition for advcrm

      Workaround
      For advcrm add the following entry in the file <FISHEYE_HOME>/syntax/url.def

      # advcrm
  /\b(?:advcrm:(?:(?:[a-zA-Z\d$\-_.+!*'(),;\/?:@&=]|(?:%[a-fA-F\d]{2}))+))/ : {
    region {href="${0}";}
  }

      Thanks to that, all links with this scheme (and rest of the url will pass this regex check) will be rendered on UI.

      Steps:

      1. Switch off Fisheye/Crucible
      2. add new entry to the file (file location and entry above)
      3. launch Fisheye/Crucible
      4. All links should be rendered

      Attachments

        Issue Links

          is caused by

          Bug - A problem which impairs or prevents the functions of the product. FE-7163 Stored XSS in administrative linker functionality through the href parameter - CVE-2018-20240

          • Low - Low priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              tathanassiadou Themis
              Votes:
              2 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: