subject:"\[OE\-core\] \[PATCH\] report\-error.bbclass\: replace angle brackets with and "

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

2021-03-22 Thread Martin Jansa

On Sun, Mar 14, 2021 at 06:03:25PM -0700, Khem Raj wrote:
> From: Changqing Li 
> 
> when we have below content in local.conf or auto.conf:
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
> send-error-report will fail with "HTTP Error 500: OK"
> 
> error-report-web do rudimentary check on all fields that are
> passed to the graphs page to avoid any XSS happening, if contains
> '<', the server will return error(Invalid characters in json).
> fixed by use escape of <> to replace it.
> 
> NOTE: with this change, error-report-web need to add filter 'safe'
> for the string wanted to display to avoid further HTML escaping
> prior to output. Below is how the content displayed on webpage:
> with the filter 'safe':
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
> without the filter 'safe':
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
> 
> Another patch for error-report-web will send to yocto mail list.
> 
> [YOCTO #13252]

Acked-by: Martin Jansa 

> Signed-off-by: Changqing Li 
> Signed-off-by: Khem Raj 
> ---
>  meta/classes/report-error.bbclass | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/classes/report-error.bbclass 
> b/meta/classes/report-error.bbclass
> index 9cb6b0bd31..8dac854944 100644
> --- a/meta/classes/report-error.bbclass
> +++ b/meta/classes/report-error.bbclass
> @@ -38,6 +38,7 @@ def get_conf_data(e, filename):
>  continue
>  else:
>  jsonstring=jsonstring + line
> +jsonstring = jsonstring.replace("<", "<").replace(">", ">")
>  return jsonstring
>
>  python errorreport_handler () {
> -- 
> 2.30.2
> 

> 
> 
> 



signature.asc
Description: PGP signature

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#149774): 
https://lists.openembedded.org/g/openembedded-core/message/149774
Mute This Topic: https://lists.openembedded.org/mt/81339399/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

[OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

2021-03-14 Thread Khem Raj

From: Changqing Li 

when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
send-error-report will fail with "HTTP Error 500: OK"

error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.

NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "

Another patch for error-report-web will send to yocto mail list.

[YOCTO #13252]

Signed-off-by: Changqing Li 
Signed-off-by: Khem Raj 
---
 meta/classes/report-error.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/report-error.bbclass 
b/meta/classes/report-error.bbclass
index 9cb6b0bd31..8dac854944 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -38,6 +38,7 @@ def get_conf_data(e, filename):
 continue
 else:
 jsonstring=jsonstring + line
+jsonstring = jsonstring.replace("<", "<").replace(">", ">")
 return jsonstring
 
 python errorreport_handler () {
-- 
2.30.2


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#149444): 
https://lists.openembedded.org/g/openembedded-core/message/149444
Mute This Topic: https://lists.openembedded.org/mt/81339399/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

2019-12-04 Thread Changqing Li




On 12/4/19 4:16 PM, Richard Purdie wrote:

On Wed, 2019-12-04 at 08:25 +0800, Changqing Li wrote:

ping

There was a reply from Paul Eggleton about the server side of this
patch, were those issues addressed?

Cheers,

Richard


I should have missed the reply:-[, I will check it.

Thanks.


BRs

Sandy


On 11/12/19 4:32 PM, changqing...@windriver.com wrote:

From: Changqing Li 

when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
send-error-report will fail with "HTTP Error 500: OK"

error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.

NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "

Another patch for error-report-web will send to yocto mail list.

[YOCTO #13252]

Signed-off-by: Changqing Li 
---
   meta/classes/report-error.bbclass | 1 +
   1 file changed, 1 insertion(+)

diff --git a/meta/classes/report-error.bbclass
b/meta/classes/report-error.bbclass
index 1a12db1..6046867 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -36,6 +36,7 @@ def get_conf_data(e, filename):
   continue
   else:
   jsonstring=jsonstring + line
+jsonstring = jsonstring.replace("<", "<").replace(">",
">")
   return jsonstring
   
   python errorreport_handler () {



--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

2019-12-04 Thread Richard Purdie

On Wed, 2019-12-04 at 08:25 +0800, Changqing Li wrote:
> ping

There was a reply from Paul Eggleton about the server side of this
patch, were those issues addressed?

Cheers,

Richard

> On 11/12/19 4:32 PM, changqing...@windriver.com wrote:
> > From: Changqing Li 
> > 
> > when we have below content in local.conf or auto.conf:
> > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
> > send-error-report will fail with "HTTP Error 500: OK"
> > 
> > error-report-web do rudimentary check on all fields that are
> > passed to the graphs page to avoid any XSS happening, if contains
> > '<', the server will return error(Invalid characters in json).
> > fixed by use escape of <> to replace it.
> > 
> > NOTE: with this change, error-report-web need to add filter 'safe'
> > for the string wanted to display to avoid further HTML escaping
> > prior to output. Below is how the content displayed on webpage:
> > with the filter 'safe':
> > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
> > without the filter 'safe':
> > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
> > 
> > Another patch for error-report-web will send to yocto mail list.
> > 
> > [YOCTO #13252]
> > 
> > Signed-off-by: Changqing Li 
> > ---
> >   meta/classes/report-error.bbclass | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/meta/classes/report-error.bbclass
> > b/meta/classes/report-error.bbclass
> > index 1a12db1..6046867 100644
> > --- a/meta/classes/report-error.bbclass
> > +++ b/meta/classes/report-error.bbclass
> > @@ -36,6 +36,7 @@ def get_conf_data(e, filename):
> >   continue
> >   else:
> >   jsonstring=jsonstring + line
> > +jsonstring = jsonstring.replace("<", "<").replace(">",
> > ">")
> >   return jsonstring
> >   
> >   python errorreport_handler () {

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

2019-12-03 Thread Changqing Li


ping

On 11/12/19 4:32 PM, changqing...@windriver.com wrote:

From: Changqing Li 

when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
send-error-report will fail with "HTTP Error 500: OK"

error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.

NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "

Another patch for error-report-web will send to yocto mail list.

[YOCTO #13252]

Signed-off-by: Changqing Li 
---
  meta/classes/report-error.bbclass | 1 +
  1 file changed, 1 insertion(+)

diff --git a/meta/classes/report-error.bbclass 
b/meta/classes/report-error.bbclass
index 1a12db1..6046867 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -36,6 +36,7 @@ def get_conf_data(e, filename):
  continue
  else:
  jsonstring=jsonstring + line
+jsonstring = jsonstring.replace("<", "<").replace(">", ">")
  return jsonstring
  
  python errorreport_handler () {

--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

2019-11-13 Thread Khem Raj

On Tue, 2019-11-12 at 16:32 +0800, changqing...@windriver.com wrote:
> From: Changqing Li 
> 
> when we have below content in local.conf or auto.conf:
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
> send-error-report will fail with "HTTP Error 500: OK"
> 
> error-report-web do rudimentary check on all fields that are
> passed to the graphs page to avoid any XSS happening, if contains
> '<', the server will return error(Invalid characters in json).
> fixed by use escape of <> to replace it.
> 
> NOTE: with this change, error-report-web need to add filter 'safe'
> for the string wanted to display to avoid further HTML escaping
> prior to output. Below is how the content displayed on webpage:
> with the filter 'safe':
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
> without the filter 'safe':
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
> 
> Another patch for error-report-web will send to yocto mail list.
> 
> [YOCTO #13252]
> 

This patch fixes my problem. LGTM

> Signed-off-by: Changqing Li 
> ---
>  meta/classes/report-error.bbclass | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-
> error.bbclass
> index 1a12db1..6046867 100644
> --- a/meta/classes/report-error.bbclass
> +++ b/meta/classes/report-error.bbclass
> @@ -36,6 +36,7 @@ def get_conf_data(e, filename):
>  continue
>  else:
>  jsonstring=jsonstring + line
> +jsonstring = jsonstring.replace("<", "<").replace(">",
> ">")
>  return jsonstring
>  
>  python errorreport_handler () {
> -- 
> 2.7.4
> 

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

2019-11-12 Thread changqing.li

From: Changqing Li 

when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
send-error-report will fail with "HTTP Error 500: OK"

error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.

NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj "

Another patch for error-report-web will send to yocto mail list.

[YOCTO #13252]

Signed-off-by: Changqing Li 
---
 meta/classes/report-error.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/report-error.bbclass 
b/meta/classes/report-error.bbclass
index 1a12db1..6046867 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -36,6 +36,7 @@ def get_conf_data(e, filename):
 continue
 else:
 jsonstring=jsonstring + line
+jsonstring = jsonstring.replace("<", "<").replace(">", ">")
 return jsonstring
 
 python errorreport_handler () {
-- 
2.7.4

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

[OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

[OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

7 matches

Site Navigation

Mail list logo

Footer information