Bug #10265
open
Adding a Note with malformed title will force system restore
Added by Yuri Weinstein almost 5 years ago.
Updated almost 5 years ago.
Description
This is related to using Notes package.
Add a new note with title
"Add/Change/Set the custom resolution of your display using xrandr on Ubuntu 18.04 — {In a minute}"
(I am not sure why this particular string causes a problem, but it does) and anything in the notes body
Click on Save => notice that the note was not added and pfSense System Notices show a new warning:
"pfSenseConfigurator
pfSense is restoring the configuration /cf/conf/backup/config-1581970855.xml @ 2020-02-17 12:21:23"
- Project changed from pfSense to pfSense Packages
- Category changed from Unknown to Notes
- Priority changed from Normal to Very Low
The string uses characters which are invalid in XML, and that field is not protected. The package should probably validate that string before storing it.
Viktor Gurov wrote:
Jim Pingle wrote:
The string uses characters which are invalid in XML, and that field is not protected. The package should probably validate that string before storing it.
The same issue when input contains special characters or umlaut:
https://redmine.pfsense.org/issues/9813
https://redmine.pfsense.org/issues/4497
Yes that's a general issue with XML storage but it's unrelated to this specific bug. We use CDATA encoding to protect some fields (depending on the name), base64 to protect others, and input validation to prevent using certain strings in even more. The best fit generally depends on the content and where it is (for example, base system vs packages, text boxes vs text areas, passwords, etc).
Jim Pingle wrote:
Yes that's a general issue with XML storage but it's unrelated to this specific bug. We use CDATA encoding to protect some fields (depending on the name), base64 to protect others, and input validation to prevent using certain strings in even more. The best fit generally depends on the content and where it is (for example, base system vs packages, text boxes vs text areas, passwords, etc).
Is it possible to create a list of pkgs config entries that must be in CDATA encoding?
Like https://redmine.pfsense.org/issues/7186
It is not viable to set that list up dynamically, since if a user removes the package, the value is still in the config with CDATA encoding which would be removed on the next config.xml save, and then break.
It's better for packages to stick to field names we already encode where possible.
Also available in: Atom
PDF
Updated by 
Updated by Viktor Gurov