Issues

Select view

List view

Detail view

Select search mode

Basic

JQL

7 of 7

html error from extension provider loaded directly into admin

Fixed

Description

when forgebox returns an error installing an extension, in this case my performance analyzer (forgebox says the binary is missing)

the whole forgebox error page is loaded directly into the admin, which messes everything up and is an xss risk (i know we explicitly trust extension providers, but still)

only the jquery text() of the response should be displayed (injected into the page), not the entire html response with css and js etc

Environment

None

Attachments

18 Jan 2021, 07:05 pm
18 Jan 2021, 06:27 pm

Details
Assignee
Zac Spitzer
Reporter
Zac Spitzer
Priority
New
Labels
adminextensionssecurityxss
Fix versions
6.0.0.76
New Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Sprint
None
Affects versions
5.3.8.138

Created 18 January 2021 at 18:30

Updated 27 April 2022 at 17:00

Resolved 14 April 2021 at 18:11

Activity

Show:

Zac Spitzer1 April 2021 at 15:01

https://github.com/lucee/Lucee/commit/ef55d2d3a114cf45a52ac1c2a067fec0bb827f48

Zac Spitzer18 January 2021 at 19:04
Edited

downloadFull throws the http response

https://github.com/lucee/Lucee/blob/5.3/core/src/main/cfml/context/admin/ext.functions.cfm#L571

PR to show safe error message

https://github.com/lucee/Lucee/pull/1156

Issues

html error from extension provider loaded directly into admin

Description

Environment

Attachments

Details

Assignee

Reporter

Priority

Labels

Fix versions

New Issue warning screen

Sprint

Affects versions

Activity

Zac Spitzer1 April 2021 at 15:01

Zac Spitzer18 January 2021 at 19:04Edited

Flag notifications

Something's gone wrong

Zac Spitzer18 January 2021 at 19:04
Edited