Overview

File fix-CVE-2021-32718.patch of Package rabbitmq-server.38523

From 5d15ffc5ebfd9818fae488fc05d1f120ab02703c Mon Sep 17 00:00:00 2001
From: Michael Klishin <michael@clojurewerkz.org>
Date: Thu, 6 May 2021 06:57:43 +0300
Subject: [PATCH] Escape username before displaying it

All other values displayed in pop-ups are already
escaped.
---
 deps/rabbitmq_management/priv/www/js/dispatcher.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: rabbitmq-server-3.8.11/deps/rabbitmq_management/priv/www/js/dispatcher.js
===================================================================
--- rabbitmq-server-3.8.11.orig/deps/rabbitmq_management/priv/www/js/dispatcher.js
+++ rabbitmq-server-3.8.11/deps/rabbitmq_management/priv/www/js/dispatcher.js
@@ -189,7 +189,7 @@ dispatcher_add(function(sammy) {
             res = sync_put(this, '/users/:username');
             if (res) {
                 if (res.http_status === 204) {
-                    username = res.req_params.username;
+                    username = fmt_escape_html(res.req_params.username);
                     show_popup('warn', "Updated an existing user: '" + username + "'");
                 }
                 update();
openSUSE Build Service is sponsored by
Places