luci-mod-status: fix potential XSS via specially crafted DNS names

When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.

Prevent this issue by HTML escaping any values in the source and
destination columns.

Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
index 9d97569d228bdf44b6a11595bf6415e9b90cc841..a87fe53fed9b82d9a576a5f77d1ec6ec9a00f8ea 100644 (file)
--- a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
+++ b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
@@ -133,8 +133,8 @@ return view.extend({
                        rows.push([
                                c.layer3.toUpperCase(),
                                c.layer4.toUpperCase(),
-                               c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src,
-                               c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst,
+                               '%h'.format(c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src),
+                               '%h'.format(c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst),
                                '%1024.2mB (%d %s)'.format(c.bytes, c.packets, _('Pkts.'))
                        ]);
                }