Project

General

Profile

Actions
Copy link

Bug #15860

closed

Contents of the configuration may still be stored even when the XML is not valid

Added by Jim Pingle 11 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
High
Assignee:
Marcos M
Category:
Configuration Backend
Target version:
2.8.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
25.07
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

If a user is able to add a value to the configuration that renders it invalid XML, it can still be stored and then fails to parse afterward. Usually these get caught and the configuration is rolled back, but it appears that certain errors do not trip this protection.

See #15844 for one example, but this is a more general problem that should be addressed separately.

For example, after triggering the issue in #15844 config.xml has the following content for dashboard widgets:

        <widgets>
                <sequence>system_information:col1:open:0,thermal_sensors:col1:open:0,disks:col1:open:0,zfs:col1:open:0,smart_status:
col1:open:0,openvpn:col2:open:0,interfaces:col2:open:0,interface_statistics:col2:open:0,log:col2:open:0,snort_alerts:col2:open:0</se
quence>
                <period>10</period>
                <system_information-0>
                        <filter></filter>
                </system_information-0>
                <log-0>
                        <descr><![CDATA[Firewall Logs]]></descr>
                </log-0>
                <test/><log-0><filterlogentriesinterval>5;alert("XSS");var test=50</filterlogentriesinterval></log-0><!-->
                        <filterlogentries>10</filterlogentries>
                </test/><log-0><filterlogentriesinterval>5;alert("XSS");var test=50</filterlogentriesinterval></log-0><!-->
        </widgets>

This results in the log-0 tag being present twice which is invalid. From that point anything that touches the configuration will fail with a PHP error:

PHP Fatal error:  Uncaught Exception: XML error: LOG-0 at line 1652 cannot occur more than once
 in /etc/inc/xmlparse.inc:92
Stack trace:
#0 [internal function]: startElement()
#1 /etc/inc/xmlparse.inc(204): xml_parse()
#2 /etc/inc/xmlparse.inc(165): parse_xml_config_raw()
#3 /etc/inc/config.lib.inc(1535): parse_xml_config()
#4 /etc/inc/config.lib.inc(2136): LocalConfig->config_read()
#5 /etc/inc/config.lib.inc(2475): config_provider_init()
#6 /etc/inc/auth.inc(31): require_once('/etc/inc/config...')
#7 /etc/inc/authgui.inc(27): include_once('/etc/inc/auth.i...')
#8 /usr/local/www/guiconfig.inc(61): require_once('/etc/inc/authgu...')
#9 /usr/local/www/widgets/widgets/interfaces.widget.php(25): require_once('/usr/local/www/...')
#10 {main}
  thrown in /etc/inc/xmlparse.inc on line 92

For whatever reason this does not trigger the usual protection that rolls the configuration back to the previous good/working copy.

Actions
Copy link

Also available in: Atom PDF