Return-Path: <issues-return-85008-archive-asf-public=cust-asf.ponee.io@cloudstack.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id F0359200D45
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 23 Nov 2017 10:19:06 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id EEBB3160C10; Thu, 23 Nov 2017 09:19:06 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 4077A160BEF
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 23 Nov 2017 10:19:06 +0100 (CET)
Received: (qmail 91499 invoked by uid 500); 23 Nov 2017 09:19:05 -0000
Mailing-List: contact issues-help@cloudstack.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cloudstack.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cloudstack.apache.org>
List-Post: <mailto:issues@cloudstack.apache.org>
List-Id: <issues.cloudstack.apache.org>
Reply-To: dev@cloudstack.apache.org
Delivered-To: mailing list issues@cloudstack.apache.org
Received: (qmail 91490 invoked by uid 500); 23 Nov 2017 09:19:05 -0000
Delivered-To: apmail-incubator-cloudstack-issues@incubator.apache.org
Received: (qmail 91487 invoked by uid 99); 23 Nov 2017 09:19:05 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Nov 2017 09:19:05 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A8F481A270C
	for <cloudstack-issues@incubator.apache.org>; Thu, 23 Nov 2017 09:19:04 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -99.202
X-Spam-Level: 
X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31
	tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001,
	SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled
Received: from mx1-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id ta6CFnHAijhP
	for <cloudstack-issues@incubator.apache.org>;
	Thu, 23 Nov 2017 09:19:02 +0000 (UTC)
Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139])
	by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 702465F522
	for <cloudstack-issues@incubator.apache.org>; Thu, 23 Nov 2017 09:19:02 +0000 (UTC)
Received: from jira-lw-us.apache.org (unknown [207.244.88.139])
	by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 2B3EAE0D60
	for <cloudstack-issues@incubator.apache.org>; Thu, 23 Nov 2017 09:19:01 +0000 (UTC)
Received: from jira-lw-us.apache.org (localhost [127.0.0.1])
	by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 66BF5241A8
	for <cloudstack-issues@incubator.apache.org>; Thu, 23 Nov 2017 09:19:00 +0000 (UTC)
Date: Thu, 23 Nov 2017 09:19:00 +0000 (UTC)
From: "ASF GitHub Bot (JIRA)" <jira@apache.org>
To: cloudstack-issues@incubator.apache.org
Message-ID: <JIRA.13120176.1511343417000.308312.1511428740418@Atlassian.JIRA>
In-Reply-To: <JIRA.13120176.1511343417000@Atlassian.JIRA>
References: <JIRA.13120176.1511343417000@Atlassian.JIRA> <JIRA.13120176.1511343417880@jira-lw-us.apache.org>
Subject: [jira] [Commented] (CLOUDSTACK-10153) Sanitize string arguments in
 API requests for XSS scripts
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Thu, 23 Nov 2017 09:19:07 -0000


    [ https://issues.apache.org/jira/browse/CLOUDSTACK-10153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16264041#comment-16264041 ] 

ASF GitHub Bot commented on CLOUDSTACK-10153:
---------------------------------------------

borisstoyanov commented on issue #2336: CLOUDSTACK-10153: Introduce string API arg trust validation
URL: https://github.com/apache/cloudstack/pull/2336#issuecomment-346564985
 
 
   @blueorangutan test
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Sanitize string arguments in API requests for XSS scripts
> ---------------------------------------------------------
>
>                 Key: CLOUDSTACK-10153
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10153
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Rohit Yadav
>            Assignee: Rohit Yadav
>             Fix For: Future
>
>
> API requests made using the CloudStack UI does not allow use of special characters "<" and ">", however direct API requests made using clis such as cloudmonkey may pass unsanitized string API arguments to backend. A backend sanitizer can be put in to filter string API argument and remove possible XSS scripts using libraries such as https://github.com/OWASP/java-html-sanitizer



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)