Bug #14622
closed
Special characters can cause the CDATA tags to be stripped during HA Sync
0%
Description
Tested on
23.05.1-RELEASE (amd64) built on Wed Jun 28 03:57:27 UTC 2023 FreeBSD 14.0-CURRENT
When a user's full name includes special characters such as é (which is encoded as é) the HA sync can fail resulting in the following error on the Secondary. When this occurs all CDATA tags are missing from the resulting config.xml.bad
Netgate pfSense Plus is restoring the configuration /cf/conf/backup/config-1690579542.xml @ 2023-07-28 23:25:46
Updated by Udo Llorens about 2 years ago
Tested on
2.7.0-RELEASE (amd64)
built on Wed Jun 28 03:53:34 UTC 2023
FreeBSD 14.0-CURRENT
We are having a similar issue which seems to come from the same bug. When an alias table contains accented characters it fails on HA Sync on the secondary box
pfSense is restoring the configuration /cf/conf/backup/config-1690796809.xml
Upon inspection of both configuration files (primary and secondary box) we see that CTAGS have been updated and contain the accented Character in the form of "Á" in the case of an accented Á
So: no CTAGS removing, but constant errors of restoring configuration.
Updated by Udo Llorens about 2 years ago
Upon further testing we found the following:
Accented characters (or an apostrophe for that matter too) present in aliases or any description field (we have seen it happen in routes and rules) can trigger the error.
php-fpm[36445]: /xmlrpc.php: Configuration Change: (system)@10.64.255.1: Merged in config (staticroutes, gateways, virtualip, system, hasync, aliases, ca, cert, crl, dhcpd, dnsmasq, filter, ipsec, nat, openvpn, schedules, unbound sections) from XMLRPC client.
php-fpm[36445]: /xmlrpc.php: XML error: Undeclared entity error at line 249 in /conf/config.xml
We have tested by creating special characters in descriptions on aliases. It does not always error like the above, but it does sync the configuration. Sometimes the secondary configuration problem field does not get updated.
In this particular error, we added an accented character to an alias, and the error came from a route description with an accented character. However, we had made multiple configuration changes with accented and non accented characters before and the error did not happen (the route with the special character in the description was always there)
Updated by Jim Pingle about 2 years ago
- Category changed from High Availability to XMLRPC
- Status changed from New to Not a Bug
I can't duplicate this as stated in any case. I can create a user with a full name of "Tést" and it synchronizes without error. I can create an alias with the same description in in the alias itself or in a row entry, still synchronizes without error.
There was a recent report that was similar where a package was doing XMLRPC (IIRC it was Suricata) and that package sync is what was causing the error, not the built-in base system sync.
If you have any packages configured to do XMLRPC sync, disable them and try again.
Not all fields get CDATA protection, however. Only fields defined in is_cdata_entity() will get CDATA protection during XML operations.
If you can still find a way to reproduce this error using only the base pfSense software (Plus or CE) and NO packages , then we will need a more detailed procedure to reproduce it since we can't replicate it with a typical lab setup.
If it turns out to be specific to one package, then an issue can be opened specific to that package to have it addressed there.