File fix-CVE-2021-32718.patch of Package rabbitmq-server.20991
From 5d15ffc5ebfd9818fae488fc05d1f120ab02703c Mon Sep 17 00:00:00 2001
From: Michael Klishin <michael@clojurewerkz.org>
Date: Thu, 6 May 2021 06:57:43 +0300
Subject: [PATCH] Escape username before displaying it
All other values displayed in pop-ups are already
escaped.
---
deps/rabbitmq_management/priv/www/js/dispatcher.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/deps/rabbitmq_management/priv/www/js/dispatcher.js b/deps/rabbitmq_management/priv/www/js/dispatcher.js
index d2842c2da8a..5f1b54dbac8 100644
--- a/deps/rabbitmq_management/priv/www/js/dispatcher.js
+++ b/deps/rabbitmq_management/priv/www/js/dispatcher.js
@@ -189,7 +189,7 @@ dispatcher_add(function(sammy) {
res = sync_put(this, '/users/:username');
if (res) {
if (res.http_status === 204) {
- username = res.req_params.username;
+ username = fmt_escape_html(res.req_params.username);
show_popup('warn', "Updated an existing user: '" + username + "'");
}
update();