diff options
author | Jo-Philipp Wich <jo@mein.io> | 2021-05-12 11:49:31 +0200 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2021-05-12 11:57:21 +0200 |
commit | 3c66c5b1651aa25afbff09bee45047da9a0ba43d (patch) | |
tree | 405e4675d61de7359375813f5942dd1e208dec64 /modules/luci-mod-status/htdocs/luci-static | |
parent | f99e4edcc986cd8443f8e7aaab067befd562e14a (diff) |
luci-mod-status: fix potential XSS via specially crafted DNS names
When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.
Prevent this issue by HTML escaping any values in the source and
destination columns.
Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules/luci-mod-status/htdocs/luci-static')
-rw-r--r-- | modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js index 9d97569d22..a87fe53fed 100644 --- a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js +++ b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js @@ -133,8 +133,8 @@ return view.extend({ rows.push([ c.layer3.toUpperCase(), c.layer4.toUpperCase(), - c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src, - c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst, + '%h'.format(c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src), + '%h'.format(c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst), '%1024.2mB (%d %s)'.format(c.bytes, c.packets, _('Pkts.')) ]); } |