luci-mod-status: fix potential XSS via specially crafted DNS names

When an upstream NS returns PTR domain names containing HTML, it is
added verbatim to the connection status table.

Prevent this issue by HTML escaping any values in the source and
destination columns.

Fixes: CVE-2021-32019
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 3c66c5b1651aa25afbff09bee45047da9a0ba43d)

diff --git a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
index 4c1b097f2b0e16eca697533114ed29d5ba1672bb..88a96f53b9de6a572f141abe7ef6b018185226fe 100644 (file)
--- a/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
+++ b/modules/luci-mod-status/htdocs/luci-static/resources/view/status/connections.js
@@ -133,8 +133,8 @@ return view.extend({
                        rows.push([
                                c.layer3.toUpperCase(),
                                c.layer4.toUpperCase(),
-                               c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src,
-                               c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst,
+                               '%h'.format(c.hasOwnProperty('sport') ? (src + ':' + c.sport) : src),
+                               '%h'.format(c.hasOwnProperty('dport') ? (dst + ':' + c.dport) : dst),
                                '%1024.2mB (%d %s)'.format(c.bytes, c.packets, _('Pkts.'))
                        ]);
                }