diff options
author | Changqing Li <changqing.li@windriver.com> | 2019-11-12 16:32:45 +0800 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2020-06-23 15:26:36 -0700 |
commit | 06249954c9715f6658c74754d38d3fd9b4990c1f (patch) | |
tree | 83f57c1e17bbb991603c92cd7b9e2c385d280239 | |
parent | 76274be9389bf5df64d1bd4c663c9afc770c6e23 (diff) | |
download | openembedded-core-contrib-06249954c9715f6658c74754d38d3fd9b4990c1f.tar.gz |
report-error.bbclass: replace angle brackets with < and >
when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
send-error-report will fail with "HTTP Error 500: OK"
error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.
NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
Another patch for error-report-web will send to yocto mail list.
[YOCTO #13252]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r-- | meta/classes/report-error.bbclass | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass index 4e41d25641..b1038da2e0 100644 --- a/meta/classes/report-error.bbclass +++ b/meta/classes/report-error.bbclass @@ -42,6 +42,7 @@ def get_conf_data(e, filename): continue else: jsonstring=jsonstring + line + jsonstring = jsonstring.replace("<", "<").replace(">", ">") return jsonstring def errorreport_get_user_info(e): |