Closed z0r0 closed 6 years ago
Thanks for the bug report, I'm looking into it :)
FILE: csp_report_body.json
----------------------------
{
"csp-report": {
"document-uri": "http://example.com/signup.html",
"referrer": "",
"blocked-uri": "http://example.com/css/style.css",
"violated-directive": "style-src cdn.example.com",
"original-policy": "default-src 'none'; style-src cdn.example.com; report-uri /_/csp-reports",
"disposition": "report"
}
}
---------------------------
Execute: curl --data csp_report_body.json --header "Content-Type: application/json" http://127.0.0.1:80/foo.php
---------------------------
To test:
Paste the body in here: https://jsonlint.com/
Hello,
First of all, really sorry for the delay of my answer, I've been busy on other topics :)
So, I looked a bit at the bug. The correct curl
request is
curl -v --data-binary "@csp.json" --header "Content-Type: application/json" http://127.0.0.1:4242/
(else the data would simply be the filename). I did the tests locally and it is correctly parsed (for the CSP case at leat).
I'm now looking at the first blob you pasted !
Hello,
I fixed the bug in https://github.com/nbs-system/naxsi/commit/2868972a00fdd950a505e88b1bcdcc75fa4ddd7b.
I just need to add some extra tests, and merging into master.
Merge request pending.
{"error": "ERROR_REPORT:{\"request\":{\"bar\":\"\"},\"response\":{\"bar\":[{\"schema_id\":\"foo\"}]}}"}
is actually valid JSON. it's a key, with a value that's a string. Currently, Naxsi attempts to parse this string in a nested fashion, when it should not.The following is the response: