Bug #2294: Output from CSRF magic mangles files in Diagnostics > Edit File - pfSense - pfSense bugtracker

Actions

Copy link

Bug #2294

closed

Output from CSRF magic mangles files in Diagnostics > Edit File

Added by Jim Pingle about 12 years ago. Updated about 12 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Darren Embry

Category:

Web Interface

Target version:

2.1

Start date:

03/14/2012

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

Affected Architecture:

Description

Somehow CSRF Magic code is ending up in the text when you edit a file in Diagnostics > Edit file. One example is with /etc/inc/auth.inc.

Line 106 should be (on RELENG_2_0):
echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>";

But it ends up being:
echo "<html><head><title>" . gettext("Redirecting...") . "</title><script type="text/javascript">if (top != self) {top.location.href = self.location.href;}</script><script type="text/javascript">var csrfMagicToken = "sid:61313518f80bc98672eca7a8eb590661fee56563,1331764222";var csrfMagicName = "__csrf_magic";</script><script src="/csrf/csrf-magic.js" type="text/javascript"></script></head><body>" . gettext("Redirecting to the dashboard...") . "<script type="text/javascript">CsrfMagic.end();</script></body></html>";

If someone isn't careful, they could corrupt a system file just by attempting a minor edit here.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #2294

Output from CSRF magic mangles files in Diagnostics > Edit File

Updated by Chris Buechler about 12 years ago

Updated by Darren Embry about 12 years ago