You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jspwiki.apache.org by "Juan Pablo Santos Rodríguez (JIRA)" <ji...@apache.org> on 2019/01/28 23:03:00 UTC

[jira] [Closed] (JSPWIKI-1048) Insecure Content

     [ https://issues.apache.org/jira/browse/JSPWIKI-1048?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Juan Pablo Santos Rodríguez closed JSPWIKI-1048.
------------------------------------------------
    Resolution: Cannot Reproduce

closing as per previous comments.

> Insecure Content
> ----------------
>
>                 Key: JSPWIKI-1048
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-1048
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Editors
>    Affects Versions: 2.10.1
>         Environment: JSPWIKI on DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.1 LTS" 
>  apache-tomcat-7.0.54
>            Reporter: Jim Willeke
>            Priority: Critical
>
> Appears that the form for loading attachments has a hard-coded "http" scheme. 
> <form action="http://ldapwiki.com/attach?progressid=287a52a3-05e8-4aed-b538-42761665122c"
>          class="wikiform"
>             id="uploadform"
>         method="post"
>        enctype="multipart/form-data" accept-charset="UTF-8"
>       onsubmit="return Wiki.submitUpload(this, '287a52a3-05e8-4aed-b538-42761665122c');" >
>     <table>
>     <tr>
>       <td colspan="2"><div class="formhelp">In order to upload a new attachment to this page, please use the following box to find the file, then click on &#8220;Upload&#8221;.</div></td>
>     </tr>
>     <tr>
>       <td><label for="attachfilename">Select file:</label></td>
>       <td><input type="file" name="content" id="attachfilename" size="60"/></td>
>     </tr>
>     <tr>
>       <td><label for="attachnote">Change Note:</label></td>
>       <td><input type="text" name="changenote" id="attachnote" maxlength="80" size="60" />
>     <input type="hidden" name="nextpage" value="/Upload.jsp?page=Main" /></td>
>     </tr>
>    <tr>
>       <td></td>
>       <td>
>         <input type="hidden" name="page" value="Main" />
>         <input type="submit" name="upload" id="upload" value="Upload" />
>         <input type="hidden" name="action" value="upload" />
>         <div id="progressbar"><div class="ajaxprogress"></div></div>
>       </td>
>     </tr>
>     </table>
>   </form>



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)