BPI/luci
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

luci-mod-status: fix potential XSS via specially crafted DNS names

Browse Source 
When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.

Prevent this issue by HTML escaping any values in the source and
destination columns.

Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3c66c5b1651aa25afbff09bee45047da9a0ba43d)
This commit is contained in:
Jo-Philipp Wich 2021-05-12 11:49:31 +02:00
parent 766e8f8cbf
commit e2abb45b0e
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
View File

@ -133,8 +133,8 @@ return view.extend({
rows.push([
c.layer3.toUpperCase(),
c.layer4.toUpperCase(),
c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src,
c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst,
'%h'.format(c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src),
'%h'.format(c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst),
'%1024.2mB (%d %s)'.format(c.bytes, c.packets, _('Pkts.'))
]);
}