Re: [OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

Mon, 22 Mar 2021 03:32:19 -0700 

On Sun, Mar 14, 2021 at 06:03:25PM -0700, Khem Raj wrote:
> From: Changqing Li <changqing...@windriver.com>
> 
> when we have below content in local.conf or auto.conf:
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.k...@gmail.com>"
> send-error-report will fail with "HTTP Error 500: OK"
> 
> error-report-web do rudimentary check on all fields that are
> passed to the graphs page to avoid any XSS happening, if contains
> '<', the server will return error(Invalid characters in json).
> fixed by use escape of <> to replace it.
> 
> NOTE: with this change, error-report-web need to add filter 'safe'
> for the string wanted to display to avoid further HTML escaping
> prior to output. Below is how the content displayed on webpage:
> with the filter 'safe':
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.k...@gmail.com>"
> without the filter 'safe':
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj &lt;raj.k...@gmail.com&gt;"
> 
> Another patch for error-report-web will send to yocto mail list.
> 
> [YOCTO #13252]

Acked-by: Martin Jansa <martin.ja...@gmail.com>

> Signed-off-by: Changqing Li <changqing...@windriver.com>
> Signed-off-by: Khem Raj <raj.k...@gmail.com>
> ---
>  meta/classes/report-error.bbclass | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/meta/classes/report-error.bbclass 
> b/meta/classes/report-error.bbclass
> index 9cb6b0bd31..8dac854944 100644
> --- a/meta/classes/report-error.bbclass
> +++ b/meta/classes/report-error.bbclass
> @@ -38,6 +38,7 @@ def get_conf_data(e, filename):
>                      continue
>                  else:
>                      jsonstring=jsonstring + line
> +    jsonstring = jsonstring.replace("<", "&lt;").replace(">", "&gt;")
>      return jsonstring
>
>  python errorreport_handler () {
> -- 
> 2.30.2
> 

> 
> 
>

Attachment: signature.asc
Description: PGP signature

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#149774): 
https://lists.openembedded.org/g/openembedded-core/message/149774
Mute This Topic: https://lists.openembedded.org/mt/81339399/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to