From d0cf6e4a57f3c3f4f425ea48a3caefed407e69c4 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Wed, 12 May 2021 11:49:31 +0200 Subject: [PATCH] luci-mod-status: fix potential XSS via specially crafted DNS names When an upstream NS returns PTR domain names containing HTML, it is added verbatim to the connection status table. Prevent this issue by HTML escaping any values in the source and destination columns. Fixes: CVE-2021-32019 Signed-off-by: Jo-Philipp Wich (cherry picked from commit 3c66c5b1651aa25afbff09bee45047da9a0ba43d) --- .../htdocs/luci-static/resources/view/status/connections.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js index 4c1b097f2b..88a96f53b9 100644 --- a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js +++ b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js @@ -133,8 +133,8 @@ return view.extend({ rows.push([ c.layer3.toUpperCase(), c.layer4.toUpperCase(), - c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src, - c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst, + '%h'.format(c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src), + '%h'.format(c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst), '%1024.2mB (%d %s)'.format(c.bytes, c.packets, _('Pkts.')) ]); } -- 2.30.2