aio-interface: fix token history leak, streaming XSS and missing cache headers#8049
Conversation
…SS, borg password persistence, and missing cache headers Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
…y script Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
…rove comments Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
…tighten URL validation Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
…_fetch success param Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/f1016d36-0771-46e0-992c-95ce22594414 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
…ing and GetTryLogin HTML redirect Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/55bc79a5-dea6-4bcf-9d13-030209b54382 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
…rd clearing and GetTryLogin HTML redirect" This reverts commit 68bb93a.
…addressed in separate PRs) Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/d7eb7ba7-23d8-4082-8255-09f1338de24b Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
pabzm
left a comment
There was a problem hiding this comment.
Without a description I can only comment on the technical implementation, not on the intention.
| 'community_containers_enabled' => $configurationManager->aioCommunityContainers, | ||
| 'bypass_container_update' => $bypass_container_update, | ||
| ]); | ||
| ])->withHeader('Cache-Control', 'no-store'); |
There was a problem hiding this comment.
Shouldn't these headers probably be added in more places?
There was a problem hiding this comment.
I've split this change up into a separate PR: #8161
| @@ -0,0 +1,26 @@ | |||
| // This script is loaded after a successful token-based login. | |||
There was a problem hiding this comment.
I think this is a crutch for a problem that wouldn't exist if we'd use a POST-request for the indirect login, which is more appropriate for a login-request anyways. (Or replace it fully e.g. by a cookie as discussed in #7686).
I'd favour to change the login request method instead of this.
There was a problem hiding this comment.
I fear a cross-site Post is possible but would probably require an adjusted CSP inside Nextcloud and IAO to make it work... Also not sure about CSRF...
| // wanted markup or formatting. | ||
| $addToStreamingResponseBody = function (Container $container, string $message) use ($nonbufResp) : void { | ||
| $nonbufResp->getBody()->write("<div>{$container->displayName}: {$message}</div>"); | ||
| $nonbufResp->getBody()->write('<div>' . htmlspecialchars($container->displayName, ENT_QUOTES | ENT_HTML5) . ': ' . htmlspecialchars($message, ENT_QUOTES | ENT_HTML5) . '</div>'); |
There was a problem hiding this comment.
As far as I can tell this would result in the HTML-encoded entities being visible as text in the log view overlay.
Was there an actual XSS found? The JS code in log-view.js deliberately inserts the text in a way that should be safe, thus I'm wondering if this comes from a wild guess or from an actual vulnerability.
There was a problem hiding this comment.
No this does not come from a vulnerability found. Probably we don't need this then.
|
This PR probably needs more discussions. Lets for now continue in #8161 |
No description provided.