Project

General

Profile

Bug #9390

diag_backup.php: Backup output generation failure with CSRF script tag inserted into XML

Added by Sam Likins about 1 month ago. Updated about 1 month ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Backup/restore
Target version:
Start date:
03/10/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4_2
Affected Architecture:
All

Description

Since the last update (ie: 2.4.4_2), backups fail to restore; previously generated backups will restore, but new backups will fail restoration with the following message:

The following input errors were detected:

 - The configuration could not be restored.

When creating a backup XML file, regardless of the options (Backup area, Skip packages, Skip RRD data, Encryption) the generated file has an erroneous line at the end, outside the pfSense closing tag. you erroneous line is the following:

<script type="text/javascript">CsrfMagic.end();</script>

This CSRF line is added by the output buffer function csrf_ob_handler in the file /usr/local/www/csrf/csrf-magic.php. The generation of the backup file occurs in file /usr/local/www/diag_backup.php on line 228. Due to the CSRF output buffer flag js-rewrite being enabled when the backup is output, the erroneous line is added.

$GLOBALS['csrf']['rewrite-js']

This global value needs to be set to false prior to outputting the backup.

BUG FIX to be submitted shortly.

backup-buffer-fix.diff (471 Bytes) backup-buffer-fix.diff Jim Pingle, 03/10/2019 05:46 PM

Associated revisions

Revision 4015b03d (diff)
Added by Jim Pingle about 1 month ago

Fix output buffering when downloading config backups. Fixes #9390

Revision 428f6f02 (diff)
Added by Jim Pingle about 1 month ago

Fix output buffering when downloading config backups. Fixes #9390

(cherry picked from commit 4015b03d4b184e546cb3590430fee6f9953ce23e)

History

#1 Updated by Tim Harman about 1 month ago

I can't reproduce this.
[2.4.4-RELEASE-p2 (amd64)
built on Wed Dec 12 07:40:18 EST 2018
FreeBSD 11.2-RELEASE-p6]

A full backup, using the WebGUI (with RRD data included, or excluded) finishes as expected with </pfsense> and nothing further.
Is there something else that's required to trigger this?

#2 Updated by Sam Likins about 1 month ago

PR #4055 Created

#3 Updated by Jim Pingle about 1 month ago

That PR is the wrong fix.

I haven't been able to reproduce this here, but it appears to be due to output buffering.

See https://forum.netgate.com/post/822829

The attached patch fixes it properly, but since I can't reproduce it I've been waiting on additional confirmation that it works. It worked for one person on the thread linked above.

#4 Updated by Sam Likins about 1 month ago

That is a bad solution, performing unnecessary complexity, when turning off the flag prior to outputting the payload focuses the solution to the issue.

#6 Updated by Jim Pingle about 1 month ago

You're entitled to your opinion but I disagree. Output buffering can cause other issues with downloading other than the case you are seeing, and this fixes all potential sources of problems and not the single case covered by the other fix. See #9239

#7 Updated by Jim Pingle about 1 month ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#8 Updated by Jim Pingle about 1 month ago

Two reports of success with the committed patch, for different issues as well:

https://forum.netgate.com/post/825828
https://forum.netgate.com/topic/141378/issues-with-update-to-2-4-2_2

#9 Updated by Jim Pingle about 1 month ago

  • Target version changed from 48 to 2.5.0

Also available in: Atom PDF