[GitHub] [trafficcontrol] ocket8888 opened a new pull request #6108: Fix email content injection

[GitBox <gi...@apache.org>]

ocket8888 opened a new pull request #6108:
URL: https://github.com/apache/trafficcontrol/pull/6108


   This fixes an email content injection vulnerability in the `/deliveryservices/request` Traffic Ops API endpoint by restricting the character set for customer names to alphanumeric and @, !, #, $, %, ^, &, *, (, ), [, ], '.', ' ', and '-'.
   -----------------------------------------------
   
   ## Which Traffic Control components are affected by this PR?
   - Documentation
   - Traffic Ops
   
   ## What is the best way to verify this PR?
   Make a request to `/deliveryservices/request` with a customer name that includes newline characters, e.g.
   ```json
   {
   	"emailTo": "foo@bar.com",
   	"details": {
   		"customer": "XYZ Corporation \nThis string has newlines.\n",
   		"contentType": "static",
   		"deepCachingType": "NEVER",
   		"deliveryProtocol": "http",
   		"routingType": "http",
   		"routingName": "demo1",
   		"serviceDesc": "service description goes here",
   		"peakBPSEstimate": "less-than-5-Gbps",
   		"peakTPSEstimate": "less-than-1000-TPS",
   		"maxLibrarySizeEstimate": "less-than-200-GB",
   		"originURL": "http://myorigin.com",
   		"hasOriginDynamicRemap": false,
   		"originTestFile": "http://origin.infra.ciab.test",
   		"hasOriginACLWhitelist": false,
   		"originHeaders": "",
   		"otherOriginSecurity": "",
   		"queryStringHandling": "ignore-in-cache-key-and-pass-up",
   		"rangeRequestHandling": "range-requests-not-used",
   		"hasSignedURLs": false,
   		"hasNegativeCachingCustomization": false,
   		"negativeCachingCustomizationNote": "",
   		"serviceAliases": [],
   		"rateLimitingGBPS": 50,
   		"rateLimitingTPS": 5000,
   		"overflowService": null,
   		"headerRewriteEdge": "",
   		"headerRewriteMid": "",
   		"headerRewriteRedirectRouter": "",
   		"notes": ""
   	}
   }
   ```
   and observe that it is rejected by the API
   
   ## If this is a bugfix, which Traffic Control versions contained the bug?
   - master
   - 5.x
   - 4.x
   
   ## PR submission checklist
   - [x] This PR has documentation <!-- If not, please delete this text and explain why this PR does not need documentation. -->
   - [x] This PR has a CHANGELOG.md entry <!-- A fix for a bug from an ATC release, an improvement, or a new feature should have a changelog entry. -->
   - [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] zrhoffman merged pull request #6108: Fix email content injection

[GitBox <gi...@apache.org>]

zrhoffman merged pull request #6108:
URL: https://github.com/apache/trafficcontrol/pull/6108


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@trafficcontrol.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org