Overview

File fix-CVE-2021-32718.patch of Package rabbitmq-server.20991

From 5d15ffc5ebfd9818fae488fc05d1f120ab02703c Mon Sep 17 00:00:00 2001
From: Michael Klishin <michael@clojurewerkz.org>
Date: Thu, 6 May 2021 06:57:43 +0300
Subject: [PATCH] Escape username before displaying it

All other values displayed in pop-ups are already
escaped.
---
 deps/rabbitmq_management/priv/www/js/dispatcher.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/deps/rabbitmq_management/priv/www/js/dispatcher.js b/deps/rabbitmq_management/priv/www/js/dispatcher.js
index d2842c2da8a..5f1b54dbac8 100644
--- a/deps/rabbitmq_management/priv/www/js/dispatcher.js
+++ b/deps/rabbitmq_management/priv/www/js/dispatcher.js
@@ -189,7 +189,7 @@ dispatcher_add(function(sammy) {
             res = sync_put(this, '/users/:username');
             if (res) {
                 if (res.http_status === 204) {
-                    username = res.req_params.username;
+                    username = fmt_escape_html(res.req_params.username);
                     show_popup('warn', "Updated an existing user: '" + username + "'");
                 }
                 update();
openSUSE Build Service is sponsored by
Places