diag_backup.php: Backup output generation failure with CSRF script tag inserted into XML
Since the last update (ie: 2.4.4_2), backups fail to restore; previously generated backups will restore, but new backups will fail restoration with the following message:
The following input errors were detected: - The configuration could not be restored.
When creating a backup XML file, regardless of the options (Backup area, Skip packages, Skip RRD data, Encryption) the generated file has an erroneous line at the end, outside the pfSense closing tag. you erroneous line is the following:
This CSRF line is added by the output buffer function csrf_ob_handler in the file /usr/local/www/csrf/csrf-magic.php. The generation of the backup file occurs in file /usr/local/www/diag_backup.php on line 228. Due to the CSRF output buffer flag js-rewrite being enabled when the backup is output, the erroneous line is added.
This global value needs to be set to false prior to outputting the backup.
BUG FIX to be submitted shortly.
#1 Updated by Tim Harman over 1 year ago
I can't reproduce this.
built on Wed Dec 12 07:40:18 EST 2018
A full backup, using the WebGUI (with RRD data included, or excluded) finishes as expected with </pfsense> and nothing further.
Is there something else that's required to trigger this?
#3 Updated by Jim Pingle over 1 year ago
That PR is the wrong fix.
I haven't been able to reproduce this here, but it appears to be due to output buffering.
The attached patch fixes it properly, but since I can't reproduce it I've been waiting on additional confirmation that it works. It worked for one person on the thread linked above.
#8 Updated by Jim Pingle over 1 year ago
Two reports of success with the committed patch, for different issues as well: