Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >
On Sun, Mar 14, 2021 at 06:03:25PM -0700, Khem Raj wrote: > From: Changqing Li > > when we have below content in local.conf or auto.conf: > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " > send-error-report will fail with "HTTP Error 500: OK" > > error-report-web do rudimentary check on all fields that are > passed to the graphs page to avoid any XSS happening, if contains > '<', the server will return error(Invalid characters in json). > fixed by use escape of <> to replace it. > > NOTE: with this change, error-report-web need to add filter 'safe' > for the string wanted to display to avoid further HTML escaping > prior to output. Below is how the content displayed on webpage: > with the filter 'safe': > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " > without the filter 'safe': > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj" > > Another patch for error-report-web will send to yocto mail list. > > [YOCTO #13252] Acked-by: Martin Jansa > Signed-off-by: Changqing Li > Signed-off-by: Khem Raj > --- > meta/classes/report-error.bbclass | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/classes/report-error.bbclass > b/meta/classes/report-error.bbclass > index 9cb6b0bd31..8dac854944 100644 > --- a/meta/classes/report-error.bbclass > +++ b/meta/classes/report-error.bbclass > @@ -38,6 +38,7 @@ def get_conf_data(e, filename): > continue > else: > jsonstring=jsonstring + line > +jsonstring = jsonstring.replace("<", "<").replace(">", ">") > return jsonstring > > python errorreport_handler () { > -- > 2.30.2 > > > > signature.asc Description: PGP signature -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#149774): https://lists.openembedded.org/g/openembedded-core/message/149774 Mute This Topic: https://lists.openembedded.org/mt/81339399/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >
From: Changqing Li when we have below content in local.conf or auto.conf: BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " send-error-report will fail with "HTTP Error 500: OK" error-report-web do rudimentary check on all fields that are passed to the graphs page to avoid any XSS happening, if contains '<', the server will return error(Invalid characters in json). fixed by use escape of <> to replace it. NOTE: with this change, error-report-web need to add filter 'safe' for the string wanted to display to avoid further HTML escaping prior to output. Below is how the content displayed on webpage: with the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " without the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj" Another patch for error-report-web will send to yocto mail list. [YOCTO #13252] Signed-off-by: Changqing Li Signed-off-by: Khem Raj --- meta/classes/report-error.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass index 9cb6b0bd31..8dac854944 100644 --- a/meta/classes/report-error.bbclass +++ b/meta/classes/report-error.bbclass @@ -38,6 +38,7 @@ def get_conf_data(e, filename): continue else: jsonstring=jsonstring + line +jsonstring = jsonstring.replace("<", "<").replace(">", ">") return jsonstring python errorreport_handler () { -- 2.30.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#149444): https://lists.openembedded.org/g/openembedded-core/message/149444 Mute This Topic: https://lists.openembedded.org/mt/81339399/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >
On 12/4/19 4:16 PM, Richard Purdie wrote: On Wed, 2019-12-04 at 08:25 +0800, Changqing Li wrote: ping There was a reply from Paul Eggleton about the server side of this patch, were those issues addressed? Cheers, Richard I should have missed the reply:-[, I will check it. Thanks. BRs Sandy On 11/12/19 4:32 PM, changqing...@windriver.com wrote: From: Changqing Li when we have below content in local.conf or auto.conf: BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " send-error-report will fail with "HTTP Error 500: OK" error-report-web do rudimentary check on all fields that are passed to the graphs page to avoid any XSS happening, if contains '<', the server will return error(Invalid characters in json). fixed by use escape of <> to replace it. NOTE: with this change, error-report-web need to add filter 'safe' for the string wanted to display to avoid further HTML escaping prior to output. Below is how the content displayed on webpage: with the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " without the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj" Another patch for error-report-web will send to yocto mail list. [YOCTO #13252] Signed-off-by: Changqing Li --- meta/classes/report-error.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass index 1a12db1..6046867 100644 --- a/meta/classes/report-error.bbclass +++ b/meta/classes/report-error.bbclass @@ -36,6 +36,7 @@ def get_conf_data(e, filename): continue else: jsonstring=jsonstring + line +jsonstring = jsonstring.replace("<", "<").replace(">", ">") return jsonstring python errorreport_handler () { -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >
On Wed, 2019-12-04 at 08:25 +0800, Changqing Li wrote: > ping There was a reply from Paul Eggleton about the server side of this patch, were those issues addressed? Cheers, Richard > On 11/12/19 4:32 PM, changqing...@windriver.com wrote: > > From: Changqing Li > > > > when we have below content in local.conf or auto.conf: > > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " > > send-error-report will fail with "HTTP Error 500: OK" > > > > error-report-web do rudimentary check on all fields that are > > passed to the graphs page to avoid any XSS happening, if contains > > '<', the server will return error(Invalid characters in json). > > fixed by use escape of <> to replace it. > > > > NOTE: with this change, error-report-web need to add filter 'safe' > > for the string wanted to display to avoid further HTML escaping > > prior to output. Below is how the content displayed on webpage: > > with the filter 'safe': > > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " > > without the filter 'safe': > > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj" > > > > Another patch for error-report-web will send to yocto mail list. > > > > [YOCTO #13252] > > > > Signed-off-by: Changqing Li > > --- > > meta/classes/report-error.bbclass | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/meta/classes/report-error.bbclass > > b/meta/classes/report-error.bbclass > > index 1a12db1..6046867 100644 > > --- a/meta/classes/report-error.bbclass > > +++ b/meta/classes/report-error.bbclass > > @@ -36,6 +36,7 @@ def get_conf_data(e, filename): > > continue > > else: > > jsonstring=jsonstring + line > > +jsonstring = jsonstring.replace("<", "<").replace(">", > > ">") > > return jsonstring > > > > python errorreport_handler () { -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >
ping On 11/12/19 4:32 PM, changqing...@windriver.com wrote: From: Changqing Li when we have below content in local.conf or auto.conf: BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " send-error-report will fail with "HTTP Error 500: OK" error-report-web do rudimentary check on all fields that are passed to the graphs page to avoid any XSS happening, if contains '<', the server will return error(Invalid characters in json). fixed by use escape of <> to replace it. NOTE: with this change, error-report-web need to add filter 'safe' for the string wanted to display to avoid further HTML escaping prior to output. Below is how the content displayed on webpage: with the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " without the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj" Another patch for error-report-web will send to yocto mail list. [YOCTO #13252] Signed-off-by: Changqing Li --- meta/classes/report-error.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass index 1a12db1..6046867 100644 --- a/meta/classes/report-error.bbclass +++ b/meta/classes/report-error.bbclass @@ -36,6 +36,7 @@ def get_conf_data(e, filename): continue else: jsonstring=jsonstring + line +jsonstring = jsonstring.replace("<", "<").replace(">", ">") return jsonstring python errorreport_handler () { -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >
On Tue, 2019-11-12 at 16:32 +0800, changqing...@windriver.com wrote: > From: Changqing Li > > when we have below content in local.conf or auto.conf: > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " > send-error-report will fail with "HTTP Error 500: OK" > > error-report-web do rudimentary check on all fields that are > passed to the graphs page to avoid any XSS happening, if contains > '<', the server will return error(Invalid characters in json). > fixed by use escape of <> to replace it. > > NOTE: with this change, error-report-web need to add filter 'safe' > for the string wanted to display to avoid further HTML escaping > prior to output. Below is how the content displayed on webpage: > with the filter 'safe': > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " > without the filter 'safe': > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj" > > Another patch for error-report-web will send to yocto mail list. > > [YOCTO #13252] > This patch fixes my problem. LGTM > Signed-off-by: Changqing Li > --- > meta/classes/report-error.bbclass | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/meta/classes/report-error.bbclass b/meta/classes/report- > error.bbclass > index 1a12db1..6046867 100644 > --- a/meta/classes/report-error.bbclass > +++ b/meta/classes/report-error.bbclass > @@ -36,6 +36,7 @@ def get_conf_data(e, filename): > continue > else: > jsonstring=jsonstring + line > +jsonstring = jsonstring.replace("<", "<").replace(">", > ">") > return jsonstring > > python errorreport_handler () { > -- > 2.7.4 > -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >
From: Changqing Li when we have below content in local.conf or auto.conf: BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " send-error-report will fail with "HTTP Error 500: OK" error-report-web do rudimentary check on all fields that are passed to the graphs page to avoid any XSS happening, if contains '<', the server will return error(Invalid characters in json). fixed by use escape of <> to replace it. NOTE: with this change, error-report-web need to add filter 'safe' for the string wanted to display to avoid further HTML escaping prior to output. Below is how the content displayed on webpage: with the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj " without the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj" Another patch for error-report-web will send to yocto mail list. [YOCTO #13252] Signed-off-by: Changqing Li --- meta/classes/report-error.bbclass | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass index 1a12db1..6046867 100644 --- a/meta/classes/report-error.bbclass +++ b/meta/classes/report-error.bbclass @@ -36,6 +36,7 @@ def get_conf_data(e, filename): continue else: jsonstring=jsonstring + line +jsonstring = jsonstring.replace("<", "<").replace(">", ">") return jsonstring python errorreport_handler () { -- 2.7.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core