projects / project / luci.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: ec81a49) | patch
luci-mod-status: fix potential XSS via specially crafted DNS names
authorJo-Philipp Wich <jo@mein.io>
Wed, 12 May 2021 09:49:31 +0000 (11:49 +0200)
committerJo-Philipp Wich <jo@mein.io>
Wed, 12 May 2021 10:03:19 +0000 (12:03 +0200)
commitd0cf6e4a57f3c3f4f425ea48a3caefed407e69c4
tree55cc80cb291f754ed251a4abfa57c23e1c5a19c7tree | snapshot
parentec81a49945dce9337d2da909addc52c2b0add23fcommit | diff
luci-mod-status: fix potential XSS via specially crafted DNS names

When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.

Prevent this issue by HTML escaping any values in the source and
destination columns.

Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3c66c5b1651aa25afbff09bee45047da9a0ba43d)
modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js diff | blob | history
Lua Configuration Interface (mirror)