security: fix XSS and open redirect in auth and UI pages (1.2.x backport)#6910
Merged
TheWitness merged 2 commits intoCacti:1.2.xfrom Mar 29, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Backports targeted XSS and open-redirect hardening to Cacti 1.2.x pages by ensuring request-derived values are safely embedded in JavaScript contexts and that Referer-based redirects are restricted to same-origin.
Changes:
- Harden JS string interpolation by switching to
json_encode(...)for JS-bound variables in UI pages. - Add same-origin validation before using
HTTP_REFERERforLocation:redirects. - Introduce a new “JS context hardening” unit test file (currently not runnable / not aligned with the codebase).
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
auth_changepassword.php |
Adds Referer sanitization + same-origin checks for redirects; encodes $return for JS onclick usage. |
auth_profile.php |
Encodes the tab request variable via json_encode before embedding in JS. |
lib/html_graph.php |
Encodes $action and $page for safe JS embedding. |
link.php |
Validates/sanitizes Referer before using it as a redirect target fallback. |
tests/Unit/JsContextHardeningTest.php |
Adds regression tests for JS hardening (but currently references missing files/strings and requires Pest which isn’t present). |
TheWitness
previously approved these changes
Mar 28, 2026
…ort) - Validate Referer host before using in Location header (auth_changepassword.php, link.php) - Encode return target via json_encode in JS onClick handler (auth_changepassword.php) - Encode tab parameter via json_encode in JS context (auth_profile.php) - Encode pageAction and graphPage via json_encode in JS context (lib/html_graph.php) - Add JS context hardening unit tests Addresses GHSA-34rf-frc3-v48r (High), GHSA-2j98-xfjq-gw39 (Medium), GHSA-cfhh-pwvx-gp5g (Medium), GHSA-rv79-cxhv-2jwq (Medium) Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
somethingwithproof
force-pushed
the
backport/1.2.x-auth-session-v2
branch
from
992bd24 to
ecf2c16
Compare
TheWitness
approved these changes
Mar 29, 2026
bmfmancini
approved these changes
Mar 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Surgical edits to current 1.2.x files (no wholesale file checkouts).
5 files, +93/-7 lines.
Security
Test plan
vendor/bin/pest tests/Unit/JsContextHardeningTest.php