sab 1.0.0 glitterPreLoadHistory not sanitized

Report & discuss bugs found in SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
jimbome
Newbie
Newbie
Posts: 2
Joined: April 11th, 2016, 8:29 pm

sab 1.0.0 glitterPreLoadHistory not sanitized

Post by jimbome »

OS: ubuntu 14.04.4
Versions:
$ apt-show-versions sabnzbdplus sabnzbdplus-theme-glitter
sabnzbdplus:all/trusty 1.0.0-0ubuntu1~jcfp1~trusty uptodate
sabnzbdplus-theme-glitter:all/trusty 1.0.0-0ubuntu1~jcfp1~trusty uptodate

Issue: When loading the main page of sabnzbd, the page is overrun by lines that appear to be log messages. Looking at the web inspector, I can see that the glitterPreLoadHistory variable contains lines that have html markup. The log lines are not being sanitized for quotes or html tags, thus screwing up the interface. The web inspector throws several exceptions, citing illegal characters.

At some point, a post-process script called some sabnzbd url, which resulted in html being returned. This html content is injected into the log lines and is being injected into the DOM.

The log has quite a bit of identifying information (indexer api keys, nzb names/locations, and ip addresses. If an interested developer gets in touch, I can send over the generated HTML I see on the page.

Thanks for an awesome product!
User avatar
safihre
Administrator
Administrator
Posts: 5338
Joined: April 30th, 2015, 7:35 am
Contact:

Re: sab 1.0.0 glitterPreLoadHistory not sanitized

Post by safihre »

We are aware and have fixed the problem, it will be in version 1.0.1. Hopefully released soon..
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate
jimbome
Newbie
Newbie
Posts: 2
Joined: April 11th, 2016, 8:29 pm

Re: sab 1.0.0 glitterPreLoadHistory not sanitized

Post by jimbome »

Awesome, thank you!
Post Reply