Bug #3525
closed
Dansguardian Writing Script Garbage (CsrfMagic.end)
Added by William Bell almost 12 years ago.
Updated over 9 years ago.
Description
On a clean install of pfSense 2.1, I have installed the following:
- squid 2.7.9 pkg v.4.3.3
- Sarge 2.3.6_2 pkg v.0.6.3
- Dansguardian 2.12.0.3 pkg v.0.1.8
After configuring squid, Dansguardian, and a NAT rule, traffic is passing normally.
The issue lies when I go to edit Dansguardian's Report file, under the Services > Dansguardian > Report and log tab. Even if you make no changes to the file, if you click the Save button at the bottom of the page, the following code is being appended to the file. And upon each save, another is appended.
<script type="text/javascript">CsrfMagic.end();</script>
Bug #2294 seems to address a similar issue, but it is not fixed on the page mentioned above.
The Dansguardian author/maintainer will need to add code to that page in the package to disable CSRF for that specific page.
I am also seeing this bug. I wish I knew where to submit a report to the dansguardian package maintainer, though.
- Subject changed from pfSense Writing Script Garbage (CsrfMagic.end) to Dansguardian Writing Script Garbage (CsrfMagic.end)
- Affected Version deleted (
2.1)
That page is a XML template and the textarea is base64-encoded. This bug doesn't make any sense and does not exist as described. Also, there's no way to "add code to that page in the package to disable CSRF".
If you created a custom "Access Denied cgi" page, it's your responsibility to make it correct.
Close this, please.
- Status changed from New to Closed
Kill Bill wrote:
That page is a XML template and the textarea is base64-encoded. This bug doesn't make any sense and does not exist as described. Also, there's no way to "add code to that page in the package to disable CSRF".
If you created a custom "Access Denied cgi" page, it's your responsibility to make it correct.
Close this, please.
Say what you want, but a quick Google search turns up other users experiencing this same issue.
Sounds to me as if you didn't even try to replicate this issue.
William Bell wrote:
Sounds to me as if you didn't even try to replicate this issue.
I closed this because Dansguardian is dead upstream and hence the package has been removed.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by Kill Bill 
Updated by