search

Igalia / phpreport

Web tool for project time tracking and project management.
http://igalia.github.io/phpreport/
GNU General Public License v3.0
30 stars 12 forks source link

XML parsing error under some unrecognized circumstance #469

Open psaavedra opened 4 years ago

psaavedra commented 4 years ago

A deny service can be actionated very easily just adding a ? in the description field of the task.

Apache shows the next error:

==> /var/log/apache2/phpreport-error.log <==
[Fri Apr 03 14:33:12.848244 2020] [:error] [pid 11124] [client 192.168.1.1:58841] PHP Warning:  XMLReader::read(): ... /var/www/phpreport/phpreport/web/services/updateTasksService.php on line 206, referer: ...

Apparently there is a XML parsing error due to a unescaped ? char in the text file.

phpreport=# select id,usrid,projectid,text from task where text like '%?%' ; 
   id   | usrid | projectid |                                                                      text                                                                      
--------+-------+-----------+------------------------------------------------------------------------------------------------------------------------------------------------
 999999 |   999 |       999 |  ...?...    | 
(1 row)

Environment:

# cat /etc/debian_version 
9.12
# dpkg -l | grep apache2
ii  apache2                           2.4.25-3+deb9u9                   i386         Apache HTTP Server
ii  apache2-bin                       2.4.25-3+deb9u9                   i386         Apache HTTP Server (modules and other binary files)
ii  apache2-data                      2.4.25-3+deb9u9                   all          Apache HTTP Server (common files)
ii  apache2-utils                     2.4.25-3+deb9u9                   i386         Apache HTTP Server (utility programs for web servers)
ii  libapache2-mod-auth-openidc       2.1.6-1                           i386         OpenID Connect authentication module for Apache
ii  libapache2-mod-php7.0             7.0.33-0+deb9u7                   i386         server-side, HTML-embedded scripting language (Apache 2 module)
# dpkg -l | grep php
rc  libapache2-mod-php5               5.6.33+dfsg-0+deb8u1              i386         server-side, HTML-embedded scripting language (Apache 2 module)
ii  libapache2-mod-php7.0             7.0.33-0+deb9u7                   i386         server-side, HTML-embedded scripting language (Apache 2 module)
ii  php-common                        1:49                              all          Common files for PHP packages
ii  php7.0-cli                        7.0.33-0+deb9u7                   i386         command-line interpreter for the PHP scripting language
ii  php7.0-common                     7.0.33-0+deb9u7                   i386         documentation, examples and common module for PHP
ii  php7.0-curl                       7.0.33-0+deb9u7                   i386         CURL module for PHP
ii  php7.0-json                       7.0.33-0+deb9u7                   i386         JSON module for PHP
ii  php7.0-ldap                       7.0.33-0+deb9u7                   i386         LDAP module for PHP
ii  php7.0-opcache                    7.0.33-0+deb9u7                   i386         Zend OpCache module for PHP
ii  php7.0-pgsql                      7.0.33-0+deb9u7                   i386         PostgreSQL module for PHP
ii  php7.0-readline                   7.0.33-0+deb9u7                   i386         readline module for PHP
ii  php7.0-xml                        7.0.33-0+deb9u7                   i386         DOM, SimpleXML, WDDX, XML, and XSL module for PHP
# dpkg -l | grep postgresql
ii  postgresql                        9.6+181+deb9u3                    all          object-relational SQL database (supported version)
ii  postgresql-9.6                    9.6.17-0+deb9u1                   i386         object-relational SQL database, version 9.6 server
ii  postgresql-client                 9.6+181+deb9u3                    all          front-end programs for PostgreSQL (supported version)
ii  postgresql-client-9.6             9.6.17-0+deb9u1                   i386         front-end programs for PostgreSQL 9.6
ii  postgresql-client-common          181+deb9u3                        all          manager for multiple PostgreSQL client versions
ii  postgresql-common                 181+deb9u3                        all          PostgreSQL database-cluster manager
ii  postgresql-contrib-9.6            9.6.17-0+deb9u1                   i386         additional facilities for PostgreSQL
jaragunde commented 4 years ago

I cannot reproduce this issue. I managed to save tasks containing many different symbols. I tried with all the keys in the keyboard:

 id  |   _date    | init | _end | story | telework |                                                    text                                                    | ttype | phase | usrid | projectid | customerid | task_storyid | onsite 
-----+------------+------+------+-------+----------+------------------------------------------------------------------------------------------------------------+-------+-------+-------+-----------+------------+--------------+--------
 161 | 2020-04-04 |  540 |  600 |       | f        | ~!@#$%^&*()_+`1234567890-=qwertyuiop[]QWERTYUIOP{}asdfghjkl;'\asdfghjkl;'\ASDFGHJKL:"|zxcvbnm,./ZXCVBNM<>? |       |       |     2 |         1 |            |              | f
 160 | 2020-04-04 |  480 |  540 |       | f        | !@#$%^&*()_+-=`~[]\';/.,{}|"?><                                                                            |       |       |     2 |         1 |            |              | f
(2 rows)
psaavedra commented 4 years ago

Yeah, it seems no so easy to reproduce it. My first suspicion was against the ? but defenitively is not (I will change the title of the issue later) If can help. I'm going to put the real error (modifying some private texts) here:

==> /var/log/apache2/phpreport-error.log <==
[Fri Apr 03 14:33:12.848244 2020] [:error] [pid 11124] [client 192.168.10.13:58841] PHP Warning:  XMLReader::read(): text &amp;&amp; !another text &amp;&amp; !and text again =&gt; text in /var/www/phpreport/phpreport/web/services/updateTasksService.php on line 206, referer: https://phpreport.domain.com/web/tasks.php
phpreport=# select id,usrid,projectid,text from task where id == 999; 
   id   | usrid | projectid |                                                                      text                                                                      
--------+-------+-----------+------------------------------------------------------------------------------------------------------------------------------------------------
 999    |   999 |       999 | text                                                                                                       +
        |       |           |    text                                                                                                    +
        |       |           | text?                                                                                                      +
        |       |           | text => text                                                                                               +
        |       |           | ^Test expects that, we are in fact
(1 row)
psaavedra commented 4 years ago

Related PR: https://github.com/Igalia/phpreport/pull/413

jaragunde commented 4 years ago

The Ext Js framework is probably using custom code for all the XML generation and parsing. I think it would be safer to use the facilities provided by the browser, namely DOMParser and XMLSerializer.

Some tips on how to use them: https://stackoverflow.com/a/34047092