0000663: crashing if parameter contains a dot

ID	Project	Category	View Status	Date Submitted	Last Update

0000663	bareos-core	webui	public	2016-05-28 16:27	2017-06-08 16:39

Reporter	hexathos	Assigned To
Priority	normal	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Platform	Linux	OS	Debian	OS Version	8

Summary	0000663: crashing if parameter contains a dot
Description	webui is crashing if a volume contains a dot in its name. i have named my volumes with dots, like hx.full, hx.inc bareos itself seems not to have problems with then, but the webui has and ends in a routing failure wenn accessing <host>/bareos-webui/media/details/<volumenamewithdot>
Steps To Reproduce	Create a Volume with a Dot in its name Try to get details in webui about it
Additional Information	Complete failure message A 404 error occurred Page not found. The requested URL could not be matched by routing. No Exception available Director Version hx-backup-dir Version: 15.2.2 (16 November 2015) x86_64-pc-linux-gnu debian Debian GNU/Linux 8.0 (jessie) Webui Package has version 15.2.2-41.2
Tags	No tags attached.

mvwieringen 2016-05-28 21:57 developer ~0002282	what happens if you apply the following patch ? diff --git a/module/Media/config/module.config.php b/module/Media/config/module.config.php index 56d5e3c..7bf0ba0 100644 --- a/module/Media/config/module.config.php +++ b/module/Media/config/module.config.php @@ -43,7 +43,7 @@ return array( 'route' => '/media[/][:action][/][:id]', 'constraints' => array( 'action' => '[a-zA-Z][a-zA-Z0-9_-]', - 'id' => '[a-zA-Z0-9_-]', + 'id' => '[a-zA-Z0-9\._-]*', ), 'defaults' => array( 'controller' => 'Media\Controller\Media',

mvwieringen 2016-05-28 22:00 developer ~0002283	Honestly it doesn't crash its only a bit more strict as to what kind of media names it allows. With the whole web stuff you unfortunately need to be a lot more careful with what you allow to not create exploits. Seems no one else reported using using dots in media names we have added them to client and storage names over time and I'm sure we will find more exotic names. Its also not enormously complex to fix it yourself and send a patch as there are already some examples of previous fixes to the routing in the past.

mvwieringen 2016-06-03 16:22 developer ~0002284	Fix committed to bareos-webui bareos-15.2 branch with changesetid 6332.

Date Modified	Username	Field	Change
2016-05-28 16:27	hexathos	New Issue
2016-05-28 21:57	mvwieringen	Note Added: 0002282
2016-05-28 22:00	mvwieringen	Note Added: 0002283
2016-05-28 22:00	mvwieringen	Assigned To	=> mvwieringen
2016-05-28 22:00	mvwieringen	Status	new => feedback
2016-06-03 16:22	mvwieringen	Changeset attached	=> bareos-webui bareos-15.2 fe155cbd
2016-06-03 16:22	mvwieringen	Note Added: 0002284
2016-06-03 16:22	mvwieringen	Status	feedback => resolved
2016-06-03 16:22	mvwieringen	Resolution	open => fixed
2017-06-08 16:39	frank	Status	resolved => closed
2017-06-08 16:39	frank	Assigned To	mvwieringen =>

bareos-webui: bareos-15.2 fe155cbd 2016-05-29 00:01 mvwieringen Ported: N/A Details Diff	Fix routing for media. Allow also dots in media names for the Media details routing. Fixes 0000663: crashing if parameter contains a dot		Affected Issues 0000663
	mod - module/Media/config/module.config.php		Diff File