projects / project / luci.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 766e8f8) | patch
luci-mod-status: fix potential XSS via specially crafted DNS names
authorJo-Philipp Wich <jo@mein.io>
Wed, 12 May 2021 09:49:31 +0000 (11:49 +0200)
committerJo-Philipp Wich <jo@mein.io>
Wed, 12 May 2021 10:03:00 +0000 (12:03 +0200)
commite2abb45b0ef3cc7c527e73f3d6677a861a6875e0
tree0bdf9941c176203f4e4f72eb1704fece1999fb59tree | snapshot
parent766e8f8cbf589490049b8d18a253bcad80e1d94acommit | diff
luci-mod-status: fix potential XSS via specially crafted DNS names

When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.

Prevent this issue by HTML escaping any values in the source and
destination columns.

Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3c66c5b1651aa25afbff09bee45047da9a0ba43d)
modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js diff | blob | history
Lua Configuration Interface (mirror)