diff options
author | Changqing Li <changqing.li@windriver.com> | 2019-11-12 16:32:45 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2021-03-08 16:08:38 -0800 |
commit | 32b64cd3dd096285a54735be91feff3df2634908 (patch) | |
tree | a75cf27ec5f3900e458ebe6194ed630b95660eb9 /meta | |
parent | 27d96fbf48d502dcb43e96bc36ea1f8ece3febb7 (diff) | |
download | openembedded-core-contrib-32b64cd3dd096285a54735be91feff3df2634908.tar.gz |
report-error.bbclass: replace angle brackets with < and >
when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
send-error-report will fail with "HTTP Error 500: OK"
error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.
NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
Another patch for error-report-web will send to yocto mail list.
[YOCTO #13252]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/classes/report-error.bbclass | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass index 9cb6b0bd31..8dac854944 100644 --- a/meta/classes/report-error.bbclass +++ b/meta/classes/report-error.bbclass @@ -38,6 +38,7 @@ def get_conf_data(e, filename): continue else: jsonstring=jsonstring + line + jsonstring = jsonstring.replace("<", "<").replace(">", ">") return jsonstring python errorreport_handler () { |