Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

luci-mod-status: fix potential XSS via specially crafted DNS names

Browse source 
When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.

Prevent this issue by HTML escaping any values in the source and
destination columns.

Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich 2021-05-12 11:49:31 +02:00
parent f99e4edcc9
commit 3c66c5b165
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
View file

@ -133,8 +133,8 @@ return view.extend({
rows.push([
c.layer3.toUpperCase(),
c.layer4.toUpperCase(),
c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src,
c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst,
'%h'.format(c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src),
'%h'.format(c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst),
'%1024.2mB (%d %s)'.format(c.bytes, c.packets, _('Pkts.'))
]);
}