-
-
Notifications
You must be signed in to change notification settings - Fork 550
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent possible XSS attack vector in the input fields of the group section #1443
Conversation
b2b5671
to
29a1e45
Compare
You need to include I still need to test this myself before approving. |
I only tested group-domains.php and it seems to work. Someone should try the other pages just to be sure. |
We should prefer the built in solution assuming it works the same IMHO
because it's tested and works for everything, not just quotes.
…On Mon, Jun 8, 2020, 18:11 Adam Warner ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In scripts/pi-hole/php/groups.php
<#1443 (comment)>:
> @@ -58,7 +58,10 @@ function JSON_error($message = null)
} elseif ($_POST['action'] == 'add_group') {
// Add new group
try {
- $names = str_getcsv(trim($_POST['name']), ' ');
+ // Payload from the web interface will have been sanitised with " converted to "
+ // so before we process the input, we will do the opposite and replace " with ";
+ $input = str_replace(""","\"",trim($_POST['name']));
Fair shout, I didn't know of it's existence before now. Either or works in
this case.
—
You are receiving this because your review was requested.
Reply to this email directly, view it on GitHub
<#1443 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACVLNIIUSZU22FUWR3X423RVT5TNANCNFSM4NVCBUOQ>
.
|
I'd like @DL6ER to confirm the database-related code. For example I see this from the PHP page:
I will try the branch again tomorrow, and try to review all JS code in those files. |
1c5bbc1 prevents an (unlikely, but possible) attack vector: Given the following entry in the static lease file:
Before patch: After patch script is no longer run: |
f3dbc4c
to
1c5bbc1
Compare
@XhmikosR I cannot test anything until beginning/mid of next week. I fully trust @PromoFaux to be aware of any database-related issues that might be there. Note that it is planed to drop any SQL stuff from the web interface for Pi-hole v6.0 and to shift any list manipulations into the API (provided by FTL). This to reduce the number of places where stuff can get changed and where write-access is needed. |
There are a couple more places I want to check before merging (see my screenshots on mattermost for more info) |
…y_decode/htmlentities in PHP Signed-off-by: Adam Warner <me@adamwarner.co.uk>
8f6e136
to
c949516
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested and found no oddities.
Thanks to Dino at @telspacesystems and also @spartacvs for reporting the issues that lead to this PR |
CVE-2020-14971 seems got assigned for this issue: https://blog.telspace.co.za/2020/06/pi-hole-code-injection-cve-2020-14971.html |
This pull request has been mentioned on Pi-hole Userspace. There might be relevant details there: https://discourse.pi-hole.net/t/pi-hole-5-1-released/35577/1 |
By submitting this pull request, I confirm the following:
git rebase
)What does this PR aim to accomplish?:
Calls the already existing
utils.escapeHtml()
to make sure nothing is executed. Works independent of CSP changes