Project

General

Profile

Actions

Bug #9390

closed

diag_backup.php: Backup output generation failure with CSRF script tag inserted into XML

Added by Sam Likins over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Backup / Restore
Target version:
Start date:
03/10/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4_2
Affected Architecture:
All

Description

Since the last update (ie: 2.4.4_2), backups fail to restore; previously generated backups will restore, but new backups will fail restoration with the following message:

The following input errors were detected:

 - The configuration could not be restored.

When creating a backup XML file, regardless of the options (Backup area, Skip packages, Skip RRD data, Encryption) the generated file has an erroneous line at the end, outside the pfSense closing tag. you erroneous line is the following:

<script type="text/javascript">CsrfMagic.end();</script>

This CSRF line is added by the output buffer function csrf_ob_handler in the file /usr/local/www/csrf/csrf-magic.php. The generation of the backup file occurs in file /usr/local/www/diag_backup.php on line 228. Due to the CSRF output buffer flag js-rewrite being enabled when the backup is output, the erroneous line is added.

$GLOBALS['csrf']['rewrite-js']

This global value needs to be set to false prior to outputting the backup.

BUG FIX to be submitted shortly.


Files

backup-buffer-fix.diff (471 Bytes) backup-buffer-fix.diff Jim Pingle, 03/10/2019 05:46 PM
Actions #1

Updated by Anonymous over 5 years ago

I can't reproduce this.
[2.4.4-RELEASE-p2 (amd64)
built on Wed Dec 12 07:40:18 EST 2018
FreeBSD 11.2-RELEASE-p6]

A full backup, using the WebGUI (with RRD data included, or excluded) finishes as expected with </pfsense> and nothing further.
Is there something else that's required to trigger this?

Actions #2

Updated by Sam Likins over 5 years ago

PR #4055 Created

Actions #3

Updated by Jim Pingle over 5 years ago

That PR is the wrong fix.

I haven't been able to reproduce this here, but it appears to be due to output buffering.

See https://forum.netgate.com/post/822829

The attached patch fixes it properly, but since I can't reproduce it I've been waiting on additional confirmation that it works. It worked for one person on the thread linked above.

Actions #4

Updated by Sam Likins over 5 years ago

That is a bad solution, performing unnecessary complexity, when turning off the flag prior to outputting the payload focuses the solution to the issue.

Actions #6

Updated by Jim Pingle over 5 years ago

You're entitled to your opinion but I disagree. Output buffering can cause other issues with downloading other than the case you are seeing, and this fixes all potential sources of problems and not the single case covered by the other fix. See #9239

Actions #7

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #8

Updated by Jim Pingle over 5 years ago

Two reports of success with the committed patch, for different issues as well:

https://forum.netgate.com/post/825828
https://forum.netgate.com/topic/141378/issues-with-update-to-2-4-2_2

Actions #9

Updated by Jim Pingle over 5 years ago

  • Target version changed from 48 to 2.5.0
Actions #10

Updated by Jim Pingle over 5 years ago

  • Target version changed from 2.5.0 to 2.4.4-p3
Actions #11

Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to Resolved

Unable to reproduce on -p3. Looks good all around.

No CSRF string in a previously affected system, and also a complete configuration download from a system that previously cut off early due to output buffering.

Actions

Also available in: Atom PDF