Bug #9390
closed
diag_backup.php: Backup output generation failure with CSRF script tag inserted into XML
100%
Description
Since the last update (ie: 2.4.4_2), backups fail to restore; previously generated backups will restore, but new backups will fail restoration with the following message:
The following input errors were detected: - The configuration could not be restored.
When creating a backup XML file, regardless of the options (Backup area, Skip packages, Skip RRD data, Encryption) the generated file has an erroneous line at the end, outside the pfSense closing tag. you erroneous line is the following:
<script type="text/javascript">CsrfMagic.end();</script>This CSRF line is added by the output buffer function csrf_ob_handler in the file /usr/local/www/csrf/csrf-magic.php. The generation of the backup file occurs in file /usr/local/www/diag_backup.php on line 228. Due to the CSRF output buffer flag js-rewrite being enabled when the backup is output, the erroneous line is added.
$GLOBALS['csrf']['rewrite-js']This global value needs to be set to false prior to outputting the backup.
BUG FIX to be submitted shortly.
Files
Updated by Anonymous over 5 years ago
I can't reproduce this.
[2.4.4-RELEASE-p2 (amd64)
built on Wed Dec 12 07:40:18 EST 2018
FreeBSD 11.2-RELEASE-p6]
A full backup, using the WebGUI (with RRD data included, or excluded) finishes as expected with </pfsense> and nothing further.
Is there something else that's required to trigger this?
Updated by Jim Pingle over 5 years ago
- File backup-buffer-fix.diff backup-buffer-fix.diff added
- Assignee set to Jim Pingle
That PR is the wrong fix.
I haven't been able to reproduce this here, but it appears to be due to output buffering.
See https://forum.netgate.com/post/822829
The attached patch fixes it properly, but since I can't reproduce it I've been waiting on additional confirmation that it works. It worked for one person on the thread linked above.
Updated by Sam Likins over 5 years ago
That is a bad solution, performing unnecessary complexity, when turning off the flag prior to outputting the payload focuses the solution to the issue.
Updated by Sam Likins over 5 years ago
Look at PR 4055: https://github.com/pfsense/pfsense/pull/4055
Updated by Jim Pingle over 5 years ago
You're entitled to your opinion but I disagree. Output buffering can cause other issues with downloading other than the case you are seeing, and this fixes all potential sources of problems and not the single case covered by the other fix. See #9239
Updated by Jim Pingle over 5 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 4015b03d4b184e546cb3590430fee6f9953ce23e.
Updated by Jim Pingle over 5 years ago
Two reports of success with the committed patch, for different issues as well:
https://forum.netgate.com/post/825828
https://forum.netgate.com/topic/141378/issues-with-update-to-2-4-2_2
Updated by Jim Pingle over 5 years ago
- Target version changed from 2.5.0 to 2.4.4-p3
Updated by Jim Pingle over 5 years ago
- Status changed from Feedback to Resolved
Unable to reproduce on -p3. Looks good all around.
No CSRF string in a previously affected system, and also a complete configuration download from a system that previously cut off early due to output buffering.