Project

General

Profile

Actions

Bug #2294

closed

Output from CSRF magic mangles files in Diagnostics > Edit File

Added by Jim Pingle over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
03/14/2012
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

Somehow CSRF Magic code is ending up in the text when you edit a file in Diagnostics > Edit file. One example is with /etc/inc/auth.inc.

Line 106 should be (on RELENG_2_0):
echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>";

But it ends up being:
echo "<html><head><title>" . gettext("Redirecting...") . "</title><script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script><script type="text/javascript">var csrfMagicToken = "sid:61313518f80bc98672eca7a8eb590661fee56563,1331764222";var csrfMagicName = "__csrf_magic";</script><script src="/csrf/csrf-magic.js" type="text/javascript"></script></head><body>" . gettext("Redirecting to the dashboard...") . "<script type="text/javascript">CsrfMagic.end();</script></body></html>";

If someone isn't careful, they could corrupt a system file just by attempting a minor edit here.

Actions #1

Updated by Chris Buechler over 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Darren Embry
Actions #2

Updated by Darren Embry over 9 years ago

  • Status changed from Assigned to Resolved
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF