Bug #15860
closed
Contents of the configuration may still be stored even when the XML is not valid
100%
Description
If a user is able to add a value to the configuration that renders it invalid XML, it can still be stored and then fails to parse afterward. Usually these get caught and the configuration is rolled back, but it appears that certain errors do not trip this protection.
See #15844 for one example, but this is a more general problem that should be addressed separately.
For example, after triggering the issue in #15844 config.xml has the following content for dashboard widgets:
<widgets>
<sequence>system_information:col1:open:0,thermal_sensors:col1:open:0,disks:col1:open:0,zfs:col1:open:0,smart_status:
col1:open:0,openvpn:col2:open:0,interfaces:col2:open:0,interface_statistics:col2:open:0,log:col2:open:0,snort_alerts:col2:open:0</se
quence>
<period>10</period>
<system_information-0>
<filter></filter>
</system_information-0>
<log-0>
<descr><![CDATA[Firewall Logs]]></descr>
</log-0>
<test/><log-0><filterlogentriesinterval>5;alert("XSS");var test=50</filterlogentriesinterval></log-0><!-->
<filterlogentries>10</filterlogentries>
</test/><log-0><filterlogentriesinterval>5;alert("XSS");var test=50</filterlogentriesinterval></log-0><!-->
</widgets>
This results in the log-0 tag being present twice which is invalid. From that point anything that touches the configuration will fail with a PHP error:
PHP Fatal error: Uncaught Exception: XML error: LOG-0 at line 1652 cannot occur more than once
in /etc/inc/xmlparse.inc:92
Stack trace:
#0 [internal function]: startElement()
#1 /etc/inc/xmlparse.inc(204): xml_parse()
#2 /etc/inc/xmlparse.inc(165): parse_xml_config_raw()
#3 /etc/inc/config.lib.inc(1535): parse_xml_config()
#4 /etc/inc/config.lib.inc(2136): LocalConfig->config_read()
#5 /etc/inc/config.lib.inc(2475): config_provider_init()
#6 /etc/inc/auth.inc(31): require_once('/etc/inc/config...')
#7 /etc/inc/authgui.inc(27): include_once('/etc/inc/auth.i...')
#8 /usr/local/www/guiconfig.inc(61): require_once('/etc/inc/authgu...')
#9 /usr/local/www/widgets/widgets/interfaces.widget.php(25): require_once('/usr/local/www/...')
#10 {main}
thrown in /etc/inc/xmlparse.inc on line 92
For whatever reason this does not trigger the usual protection that rolls the configuration back to the previous good/working copy.
Updated by Jim Pingle 11 months ago
It's probably also worth checking for and rejecting any configuration that has XML comment tags (<!--) as they shouldn't occur naturally.
Updated by Marcos M 10 months ago
- Assignee set to Marcos M
Fixed with e930812c680fa4adfc8d9330bec871ef57e1d1d5
After restoring an invalid config:
Restored "/cf/conf/backup/config-1733335500.xml" because "/cf/conf/config.xml" is invalid or does not exist. Currently running PHP scripts may encounter errors. @ 2024-12-04 18:05:52
This does not address the issue with <!--.
Updated by Marcos M 10 months ago
- % Done changed from 0 to 100
Applied in changeset e930812c680fa4adfc8d9330bec871ef57e1d1d5.
Updated by Jim Pingle 10 months ago
- Status changed from Feedback to Resolved
This looks good with the patch applied. I moved the XML comment thing to its own issue: #15901
Updated by Jim Pingle 10 months ago
- Plus Target Version changed from 25.01 to 25.03
Updated by Jim Pingle 3 months ago
- Plus Target Version changed from 25.03 to 25.07