https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-03-10T17:35:42ZpfSense bugtrackerpfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=400882019-03-10T17:35:42ZAnonymous
<ul></ul><p>I can't reproduce this. <br />[2.4.4-RELEASE-p2 (amd64) <br />built on Wed Dec 12 07:40:18 EST 2018 <br />FreeBSD 11.2-RELEASE-p6]</p>
<p>A full backup, using the WebGUI (with RRD data included, or excluded) finishes as expected with </pfsense> and nothing further.<br />Is there something else that's required to trigger this?</p> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=400902019-03-10T17:39:06ZSam Likinssam.likins@wsi-services.com
<ul></ul><p>PR <a class="issue tracker-2 status-6 priority-4 priority-default closed" title="Feature: Enable area authentication from GUI (Rejected)" href="https://redmine.pfsense.org/issues/4055">#4055</a> Created</p> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=400912019-03-10T17:47:53ZJim Pingle
<ul><li><strong>File</strong> <a href="/attachments/2713">backup-buffer-fix.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2713/backup-buffer-fix.diff">backup-buffer-fix.diff</a> added</li><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li></ul><p>That PR is the wrong fix.</p>
<p>I haven't been able to reproduce this here, but it appears to be due to output buffering.</p>
<p>See <a class="external" href="https://forum.netgate.com/post/822829">https://forum.netgate.com/post/822829</a></p>
<p>The attached patch fixes it properly, but since I can't reproduce it I've been waiting on additional confirmation that it works. It worked for one person on the thread linked above.</p> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=400922019-03-10T17:52:39ZSam Likinssam.likins@wsi-services.com
<ul></ul><p>That is a bad solution, performing unnecessary complexity, when turning off the flag prior to outputting the payload focuses the solution to the issue.</p> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=400932019-03-10T17:54:12ZSam Likinssam.likins@wsi-services.com
<ul></ul><p>Look at PR 4055: <a class="external" href="https://github.com/pfsense/pfsense/pull/4055">https://github.com/pfsense/pfsense/pull/4055</a></p> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=400942019-03-10T17:59:34ZJim Pingle
<ul></ul><p>You're entitled to your opinion but I disagree. Output buffering can cause other issues with downloading other than the case you are seeing, and this fixes all potential sources of problems and not the single case covered by the other fix. See <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: WebGUI: Diagnostics > Packet Capture will try to display any size of pcap file. (Resolved)" href="https://redmine.pfsense.org/issues/9239">#9239</a></p> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=400962019-03-10T18:50:17ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Fix output buffering when downloading config backups. Fixes #9390" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/4015b03d4b184e546cb3590430fee6f9953ce23e">4015b03d4b184e546cb3590430fee6f9953ce23e</a>.</p> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=401012019-03-11T18:53:36ZJim Pingle
<ul></ul><p>Two reports of success with the committed patch, for different issues as well:</p>
<p><a class="external" href="https://forum.netgate.com/post/825828">https://forum.netgate.com/post/825828</a><br /><a class="external" href="https://forum.netgate.com/topic/141378/issues-with-update-to-2-4-2_2">https://forum.netgate.com/topic/141378/issues-with-update-to-2-4-2_2</a></p> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=401872019-03-12T10:55:01ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>48</i> to <i>2.5.0</i></li></ul> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=405292019-05-11T16:48:07ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.5.0</i> to <i>2.4.4-p3</i></li></ul> pfSense - Bug #9390: diag_backup.php: Backup output generation failure with CSRF script tag inserted into XMLhttps://redmine.pfsense.org/issues/9390?journal_id=406682019-05-16T11:35:03ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>Unable to reproduce on -p3. Looks good all around.</p>
<p>No CSRF string in a previously affected system, and also a complete configuration download from a system that previously cut off early due to output buffering.</p>