Project

General

Profile

Actions

Bug #10265

open

Adding a Note with malformed title will force system restore

Added by Yuri Weinstein about 4 years ago. Updated about 4 years ago.

Status:
New
Priority:
Very Low
Assignee:
-
Category:
Notes
Target version:
-
Start date:
02/17/2020
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

This is related to using Notes package.

Add a new note with title

"Add/Change/Set the custom resolution of your display using xrandr on Ubuntu 18.04 — {In a minute}"

(I am not sure why this particular string causes a problem, but it does) and anything in the notes body

Click on Save => notice that the note was not added and pfSense System Notices show a new warning:

"pfSenseConfigurator
pfSense is restoring the configuration /cf/conf/backup/config-1581970855.xml @ 2020-02-17 12:21:23"

Actions #1

Updated by Jim Pingle about 4 years ago

  • Project changed from pfSense to pfSense Packages
  • Category changed from Unknown to Notes
  • Priority changed from Normal to Very Low

The string uses characters which are invalid in XML, and that field is not protected. The package should probably validate that string before storing it.

Actions #2

Updated by Viktor Gurov about 4 years ago

Jim Pingle wrote:

The string uses characters which are invalid in XML, and that field is not protected. The package should probably validate that string before storing it.

The same issue when input contains special characters or umlaut:
https://redmine.pfsense.org/issues/9813
https://redmine.pfsense.org/issues/4497

Actions #3

Updated by Jim Pingle about 4 years ago

Viktor Gurov wrote:

Jim Pingle wrote:

The string uses characters which are invalid in XML, and that field is not protected. The package should probably validate that string before storing it.

The same issue when input contains special characters or umlaut:
https://redmine.pfsense.org/issues/9813
https://redmine.pfsense.org/issues/4497

Yes that's a general issue with XML storage but it's unrelated to this specific bug. We use CDATA encoding to protect some fields (depending on the name), base64 to protect others, and input validation to prevent using certain strings in even more. The best fit generally depends on the content and where it is (for example, base system vs packages, text boxes vs text areas, passwords, etc).

Actions #4

Updated by Viktor Gurov about 4 years ago

Jim Pingle wrote:

Yes that's a general issue with XML storage but it's unrelated to this specific bug. We use CDATA encoding to protect some fields (depending on the name), base64 to protect others, and input validation to prevent using certain strings in even more. The best fit generally depends on the content and where it is (for example, base system vs packages, text boxes vs text areas, passwords, etc).

Is it possible to create a list of pkgs config entries that must be in CDATA encoding?
Like https://redmine.pfsense.org/issues/7186

Actions #5

Updated by Jim Pingle about 4 years ago

It is not viable to set that list up dynamically, since if a user removes the package, the value is still in the config with CDATA encoding which would be removed on the next config.xml save, and then break.

It's better for packages to stick to field names we already encode where possible.

Actions

Also available in: Atom PDF