openwrt-mirror/luci
1
0
Fork 0
mirror of https://github.com/openwrt/luci.git synced 2025-12-21 21:24:35 +04:00
Code Issues Packages Projects Releases Wiki Activity

luci-mod-status: fix potential XSS via specially crafted DNS names

Browse Source 
When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.

Prevent this issue by HTML escaping any values in the source and
destination columns.

Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3c66c5b165)
This commit is contained in:
Jo-Philipp Wich
2021-05-12 11:49:31 +02:00
parent ec81a49945
commit d0cf6e4a57
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
View File

@@ -133,8 +133,8 @@ return view.extend({
rows.push([
c.layer3.toUpperCase(),
c.layer4.toUpperCase(),
c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src,
c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst,
'%h'.format(c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src),
'%h'.format(c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst),
'%1024.2mB (%d %s)'.format(c.bytes, c.packets, _('Pkts.'))
]);
}