Bug #8259: Range description is not encoded in firewall_schedule.php - pfSense - pfSense bugtracker

Bug #8259

Range description is not encoded in firewall_schedule.php

Added by Jim Pingle 10 months ago. Updated 8 months ago.

Status:

Resolved

Priority:

Very Low

Assignee:

Category:

Rules/NAT

Target version:

Start date:

01/05/2018

Due date:

% Done:

100%

Estimated time:

Affected Version:

All

Affected Architecture:

All

Description

On firewall_schedule.php the rangedescr for time ranges is not encoded before display. However, an invalid entry cannot be made using the GUI to take advantage of the issue.

Achieving an XSS requires manually modifying a backup to trigger the issue, and if someone can restore a manually modified backup, there are many worse things they could do. Thus it is not considered a viable threat.

Associated revisions

Revision 2f7d3a1f (diff)
Added by Jim Pingle 10 months ago

Encode rangedescr before display in firewall_schedules.php. Fixes #8259

Revision 55ea766a (diff)
Added by Jim Pingle 10 months ago

Encode rangedescr before display in firewall_schedules.php. Fixes #8259

(cherry picked from commit 2f7d3a1f3c9b00a815037e1f4b8a88c938a8f42d)

Revision cc646dfa (diff)
Added by Jim Pingle 10 months ago

Encode rangedescr before display in firewall_schedules.php. Fixes #8259

(cherry picked from commit 2f7d3a1f3c9b00a815037e1f4b8a88c938a8f42d)

Revision 34c3aeac (diff)
Added by Jim Pingle 10 months ago

Encode rangedescr before display in firewall_schedules.php. Fixes #8259

(cherry picked from commit 2f7d3a1f3c9b00a815037e1f4b8a88c938a8f42d)

History

#1 Updated by Jim Pingle 10 months ago

Status changed from Confirmed to Feedback
% Done changed from 0 to 100

Applied in changeset 2f7d3a1f3c9b00a815037e1f4b8a88c938a8f42d.

#2 Updated by Jim Pingle 8 months ago

Status changed from Feedback to Resolved

OK now.

Also available in: Atom PDF