Project

General

Profile

Actions

Bug #2294

closed

Output from CSRF magic mangles files in Diagnostics > Edit File

Added by Jim Pingle over 12 years ago. Updated over 12 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
03/14/2012
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
Affected Architecture:

Description

Somehow CSRF Magic code is ending up in the text when you edit a file in Diagnostics > Edit file. One example is with /etc/inc/auth.inc.

Line 106 should be (on RELENG_2_0):
echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>";

But it ends up being:
echo "<html><head><title>" . gettext("Redirecting...") . "</title><script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script><script type="text/javascript">var csrfMagicToken = "sid:61313518f80bc98672eca7a8eb590661fee56563,1331764222";var csrfMagicName = "__csrf_magic";</script><script src="/csrf/csrf-magic.js" type="text/javascript"></script></head><body>" . gettext("Redirecting to the dashboard...") . "<script type="text/javascript">CsrfMagic.end();</script></body></html>";

If someone isn't careful, they could corrupt a system file just by attempting a minor edit here.

Actions

Also available in: Atom PDF