projects / project / luci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: da97288)
themes: Call striptags() on hostname to prevent XSS 5109/head
authorHauke Mehrtens <hauke@hauke-m.de>
Tue, 8 Jun 2021 23:28:44 +0000 (01:28 +0200)
committerHauke Mehrtens <hauke@hauke-m.de>
Tue, 8 Jun 2021 23:33:44 +0000 (01:33 +0200)
This calls striptags() on the hostname to prevent any XSS over the
hostname. This should fix CVE-2021-33425 as far as I understood it.

If someone adds some Javascript into system.@system[0].hostname it would
have been directly added to the page, this prevents the problem.

This can only be exploited by someone being able to modify the uci
configuration, normally a user with such privileges could also just
modify the webpage.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm patch | blob | history
themes/luci-theme-material/luasrc/view/themes/material/header.htm patch | blob | history
themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm patch | blob | history
themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm patch | blob | history

diff --git a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm
index ad2d7feef59c37f9549c3a7036ddd51ca4ed53f8..81a23d63af6df8c0260ddf81ea9cd30ab75f6f38 100644 (file)
--- a/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm
+++ b/themes/luci-theme-bootstrap/luasrc/view/themes/bootstrap/header.htm
@@ -41,7 +41,7 @@
                <header>
                        <div class="fill">
                                <div class="container">
-                                       <a class="brand" href="/"><%=boardinfo.hostname or "?"%></a>
+                                       <a class="brand" href="/"><%=striptags(boardinfo.hostname or "?")%></a>
                                        <ul class="nav" id="topmenu" style="display:none"></ul>
                                        <div id="indicators" class="pull-right"></div>
                                </div>
diff --git a/themes/luci-theme-material/luasrc/view/themes/material/header.htm b/themes/luci-theme-material/luasrc/view/themes/material/header.htm
index f81aae5ac193a097cd92f492577cc873fd76077a..8c418b6fc2683fcf4d2f5cd928f787d7d2f66680 100644 (file)
--- a/themes/luci-theme-material/luasrc/view/themes/material/header.htm
+++ b/themes/luci-theme-material/luasrc/view/themes/material/header.htm
@@ -190,7 +190,7 @@
                <div class="container">
                        <span class="showSide"></span>
                        <a id="logo" href="<% if luci.dispatcher.context.authsession then %><%=url('admin/status/overview')%><% else %>#<% end %>"><img src="<%=media%>/brand.png" alt="OpenWrt"></a>
-                       <a class="brand" href="#"><%=boardinfo.hostname or "?"%></a>
+                       <a class="brand" href="#"><%=striptags(boardinfo.hostname or "?")%></a>
                        <div class="status" id="indicators">
                                <span id="xhr_poll_status" style="display:none" onclick="XHR.running() ? XHR.halt() : XHR.run()">
                                        <span class="label success" id="xhr_poll_status_on"><span class="mobile-hide"><%:Auto Refresh%></span> <%:on%></span>
diff --git a/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm b/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm
index 1cc84acbb1e0f8d2c921198380b264f4e211f823..28589ff78194bdfd80ec46a323ed78e536a647b3 100644 (file)
--- a/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm
+++ b/themes/luci-theme-openwrt-2020/luasrc/view/themes/openwrt2020/header.htm
@@ -43,7 +43,7 @@
 <div id="menubar">
        <h2 class="navigation"><a id="navigation" name="navigation"><%:Navigation%></a></h2>
 
-       <span class="hostname"><a href="/"><%=(boardinfo.hostname or "?")%></a></span>
+       <span class="hostname"><a href="/"><%=striptags(boardinfo.hostname or "?")%></a></span>
        <span class="distversion"><%=ver.distversion%></span>
        <span id="indicators"></span>
 </div>
diff --git a/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm b/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm
index 5f79b386b203022223e9f99a8da6f422347f853f..a17f3502634082e41b1a4b9233a0fc36c92af6ea 100644 (file)
--- a/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm
+++ b/themes/luci-theme-openwrt/luasrc/view/themes/openwrt.org/header.htm
@@ -50,7 +50,7 @@
 <h2 class="navigation"><a id="navigation" name="navigation"><%:Navigation%></a></h2>
 
 <div class="hostinfo">
-       <%=(boardinfo.hostname or "?")%> | <%=ver.distversion%> |
+       <%=striptags(boardinfo.hostname or "?")%> | <%=ver.distversion%> |
        <%:Load%>: <%="%.2f" % (loadinfo[1] / 65535.0)%> <%="%.2f" % (loadinfo[2] / 65535.0)%> <%="%.2f" % (loadinfo[3] / 65535.0)%>
 </div>
 
Lua Configuration Interface (mirror)