On Fri, 2020-02-14 at 10:42 +0800, Changqing Li wrote: > On 12/11/19 1:45 PM, Changqing Li wrote: > > On 11/13/19 6:36 PM, Paul Eggleton wrote: > > > Hi Changqing, > > > > > > Some comments below. > > > > > > On Tuesday, 12 November 2019 9:32:53 PM NZDT > > > [email protected] wrote: > > > > From: Changqing Li <[email protected]> > > > > > > > > > > + {% if detail.BUILD.LOCAL_CONF != "" %} > > > > + <dt></a>Local Conf:</dt> > > > > + <dd style="white-space: pre-wrap;">{{ > > > > detail.BUILD.LOCAL_CONF | safe }}</dd> > > > > + {% endif %} > > > > + > > > > + {% if detail.BUILD.AUTO_CONF != "" %} > > > > + <dt></a>Auto Conf:</dt> > > > > + <dd style="white-space: pre-wrap;">{{ > > > > detail.BUILD.AUTO_CONF | safe }}</dd> > > > > + {% endif %} > > > We cannot use the safe filter here - doing so could open up an XSS > > > vulnerability, since anyone can upload anything to the error-report > > > application and the content could include links or other malicious > > > HTML data. We should allow it to be auto-escaped. Is there a > > > particular issue you were using this to solve? > > > > This is for resolve a problem when there is angle brackets in > > local.conf/auto.conf. > > > > I have a patch in oe-core [OE-core] [PATCH] report-error.bbclass: > > replace angle brackets with < and >] > > > > when we have below content in local.conf or auto.conf: > > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj<[email protected]>" > > send-error-report will fail with "HTTP Error 500: OK" > > > > error-report-web do rudimentary check on all fields that are > > passed to the graphs page to avoid any XSS happening, if contains > > '<', the server will return error(Invalid characters in json). > > fixed by use escape of <> to replace it. > > > > NOTE: with this change, error-report-web need to add filter 'safe' > > for the string wanted to display to avoid further HTML escaping > > prior to output. Below is how the content displayed on webpage: > > with the filter 'safe': > > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj<[email protected]>" > > without the filter 'safe': > > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <[email protected]>" > > > > Do you have good idea to resolve this? Thanks.
Sorry about the delay on this, we do really need to get this resolved. I'm wondering if we should replace the angled brackets test with https://github.com/mozilla/bleach which would then remove the need for these workarounds. Would you be able to update the patch for the others issues please and then we can look at this one separately? Thanks, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#52795): https://lists.yoctoproject.org/g/yocto/message/52795 Mute This Topic: https://lists.yoctoproject.org/mt/61340472/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
