From fd30387c26144cda3a5ab50c3946635bec1020b7 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Fri, 11 Aug 2017 16:51:10 +0200 Subject: [PATCH] rec: Fix XSS in the web interface (cherry picked from commit 2d801e832ed07dbbcbe9aa9bb6cca99c077916bf) --- pdns/dnsdistdist/html/local.js | 98 --------------------------------- pdns/recursordist/html/local.js | 53 ++++++++++++++---- 2 files changed, 41 insertions(+), 110 deletions(-) diff --git a/pdns/dnsdistdist/html/local.js b/pdns/dnsdistdist/html/local.js index 26618447b..4241d503a 100644 --- a/pdns/dnsdistdist/html/local.js +++ b/pdns/dnsdistdist/html/local.js @@ -46,97 +46,6 @@ $(document).ready(function() { cpugraph.render(); var intervalcount=0; - function updateRingBuffers() - { - var filtered=$("#filter1").is(':checked') - var qstring='jsonstat?command=get-query-ring&name=queries'; - if(filtered) - qstring=qstring+"&public-filtered=1"; - - $.getJSON(qstring, - function(data) { - console.log(data); - var bouw=""; - var num=0; - var total=0, rest=0; - $.each(data["entries"], function(a,b) { - total+=b[0]; - if(num++ > 10) { - rest+=b[0]; - return; - } - if(b[1].length > 25) - b[1]=b[1].substring(0,25); - - bouw=bouw+(""); - }); - bouw+=""; - bouw=bouw+"
NumberDomainType
"+b[0]+""+b[1]+""+b[2]+"
"+rest+"Rest
"; - $("#queryring").html(bouw); - - }); - - filtered=$("#filter2").is(':checked') - qstring='jsonstat?command=get-query-ring&name=servfail-queries'; - if(filtered) - qstring=qstring+"&public-filtered=1"; - - $.getJSON(qstring, - function(data) { - var bouw=""; - var num=0, total=0, rest=0; - $.each(data["entries"], function(a,b) { - total+=b[0]; - if(num++ > 10) { - rest+=b[0]; - return; - } - if(b[1].length > 25) - b[1]=b[1].substring(0,25); - bouw=bouw+(""); - }); - bouw+=""; - bouw=bouw+"
NumberServfail domainType
"+b[0]+""+b[1]+""+b[2]+"
"+rest+"Rest
"; - $("#servfailqueryring").html(bouw); - - }); - - $.getJSON('jsonstat?command=get-remote-ring&name=remotes', - function(data) { - var bouw=""; - var num=0, total=0, rest=0; - $.each(data["entries"], function(a,b) { - total+=b[0]; - if(num++ > 10) { - rest +=b[0]; - return; - } - bouw=bouw+(""); - }); - bouw+=""; - bouw=bouw+"
NumberRemote
"+b[0]+""+b[1]+"
"+rest+"Rest
"; - $("#remotering").html(bouw); - - }); - - $.getJSON('jsonstat?command=get-remote-ring&name=servfail-remotes', - function(data) { - var bouw=""; - var num=0, total=0, rest=0; - $.each(data["entries"], function(a,b) { - total+=b[0]; - if(num++ > 10) { - rest += b[0]; - return; - } - bouw=bouw+(""); - }); - bouw+=""; - bouw=bouw+"
NumberServfail Remote
"+b[0]+""+b[1]+"
"+rest+"Rest
"; - $("#servfailremotering").html(bouw); - }); - } - function update() { $.ajax({ @@ -227,10 +136,6 @@ $(document).ready(function() { }); -// if((intervalcount++)%5) - // return; - // updateRingBuffers(); - $.ajax({ url: 'jsonstat?command=dynblocklist', type: 'GET', dataType: 'json', jsonp: false, success: function(data) { var bouw=''; @@ -267,9 +172,6 @@ $(document).ready(function() { }; - $("#filter1").click(updateRingBuffers); - $("#filter2").click(updateRingBuffers); - update(); setInterval(update, 1000); }); diff --git a/pdns/recursordist/html/local.js b/pdns/recursordist/html/local.js index 1cad60468..7ed22234b 100644 --- a/pdns/recursordist/html/local.js +++ b/pdns/recursordist/html/local.js @@ -63,7 +63,7 @@ $(document).ready(function() { $.getJSON(qstring, function(data) { - var bouw="
Dyn blocked netmaskSecondsBlocksReason
"; + var table = $('
NumberDomainType
NumberDomainType
'); var num=0; var total=0, rest=0; $.each(data["entries"], function(a,b) { @@ -75,12 +75,26 @@ $(document).ready(function() { if(b[1].length > 25) b[1]=b[1].substring(0,25); - bouw=bouw+(""+b[0]+""+b[1]+""+b[2]+""); - }); - bouw+=""+rest+"Rest"; - bouw=bouw+""; - $("#queryring").html(bouw); - + var line = $(''); + var number = $(''); + number.text(b[0]); + var domain = $(''); + domain.text(b[1]); + var type = $(''); + type.text(b[2]); + line.append(number); + line.append(domain); + line.append(type); + table.append(line); + }); + var line = $(''); + var number = $(''); + number.text(rest); + var label = $('Rest'); + line.append(number); + line.append(label); + table.append(line); + $("#queryring").html(table); }); filtered=$("#filter2").is(':checked') @@ -91,7 +105,7 @@ $(document).ready(function() { $.getJSON(qstring, function(data) { - var bouw=""; + var table = $('
NumberServfail domainType
NumberServfail domainType
'); var num=0, total=0, rest=0; $.each(data["entries"], function(a,b) { total+=b[0]; @@ -101,11 +115,26 @@ $(document).ready(function() { } if(b[1].length > 25) b[1]=b[1].substring(0,25); - bouw=bouw+(""+b[0]+""+b[1]+""+b[2]+""); + var line = $(''); + var number = $(''); + number.text(b[0]); + var domain = $(''); + domain.text(b[1]); + var type = $(''); + type.text(b[2]); + line.append(number); + line.append(domain); + line.append(type); + table.append(line); }); - bouw+=""+rest+"Rest"; - bouw=bouw+""; - $("#servfailqueryring").html(bouw); + var line = $(''); + var number = $(''); + number.text(rest); + var label = $('Rest'); + line.append(number); + line.append(label); + table.append(line); + $("#servfailqueryring").html(table); }); -- 2.40.0