Project

General

Profile

Actions
Copy link

Bug #3525

closed

Dansguardian Writing Script Garbage (CsrfMagic.end)

Added by William Bell almost 12 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
03/17/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

On a clean install of pfSense 2.1, I have installed the following:

  • squid 2.7.9 pkg v.4.3.3
  • Sarge 2.3.6_2 pkg v.0.6.3
  • Dansguardian 2.12.0.3 pkg v.0.1.8

After configuring squid, Dansguardian, and a NAT rule, traffic is passing normally.

The issue lies when I go to edit Dansguardian's Report file, under the Services > Dansguardian > Report and log tab. Even if you make no changes to the file, if you click the Save button at the bottom of the page, the following code is being appended to the file. And upon each save, another is appended.

<script type="text/javascript">CsrfMagic.end();</script>

Bug #2294 seems to address a similar issue, but it is not fixed on the page mentioned above.

Actions
Copy link
 #1

Updated by Jim Pingle almost 12 years ago

The Dansguardian author/maintainer will need to add code to that page in the package to disable CSRF for that specific page.

Actions
Copy link
 #2

Updated by Calvin Kruse over 11 years ago

I am also seeing this bug. I wish I knew where to submit a report to the dansguardian package maintainer, though.

Actions
Copy link
 #3

Updated by Chris Buechler about 11 years ago

  • Subject changed from pfSense Writing Script Garbage (CsrfMagic.end) to Dansguardian Writing Script Garbage (CsrfMagic.end)
  • Affected Version deleted (2.1)
Actions
Copy link
 #4

Updated by Kill Bill about 10 years ago

That page is a XML template and the textarea is base64-encoded. This bug doesn't make any sense and does not exist as described. Also, there's no way to "add code to that page in the package to disable CSRF".

If you created a custom "Access Denied cgi" page, it's your responsibility to make it correct.

Close this, please.

Actions
Copy link
 #5

Updated by Chris Buechler over 9 years ago

  • Status changed from New to Closed
Actions
Copy link
 #6

Updated by William Bell over 9 years ago

Kill Bill wrote:

That page is a XML template and the textarea is base64-encoded. This bug doesn't make any sense and does not exist as described. Also, there's no way to "add code to that page in the package to disable CSRF".

If you created a custom "Access Denied cgi" page, it's your responsibility to make it correct.

Close this, please.

Say what you want, but a quick Google search turns up other users experiencing this same issue.

Sounds to me as if you didn't even try to replicate this issue.

Actions
Copy link
 #7

Updated by Chris Buechler over 9 years ago

William Bell wrote:

Sounds to me as if you didn't even try to replicate this issue.

I closed this because Dansguardian is dead upstream and hence the package has been removed.

Actions
Copy link

Also available in: Atom PDF