Traffic Totals: Broken in 2.4.4-p3 [SOLVED WITH PATCH]



  • It was working fine in 2.4.4.-p2; after upgrading to p3, it would no longer display graphs. After trying multiple fixes, such as removing the package, deleting the contents of /var/db/vnstat, reloading the package, and resetting graphing data, I attempted a "last resort" option of installing 2.4.4-p3 from scratch and restoring a backup from p2... same symptoms.

    For now, I removed the Traffic Totals package; hopefully there will be a fix for this issue.


  • Galactic Empire

    This post is deleted!

  • LAYER 8 Netgate

    Looks fine here.

    ffc5ffd0-091a-4c89-88d1-d6385f38cb13-image.png



  • Does it behave the same way on different browsers?


  • Galactic Empire

    [2.4.4-RELEASE][admin@pfsense]/root/scripts: /usr/local/bin/vnstat -i pppoe0 -h
     WAN (pppoe0)                                                             20:25 
      ^                                      r                                      
      |                                      r                                      
      |                                      r                                      
      |                                      r                                      
      |                                      r                             r        
      |                                      r                             r        
      |                                      r                             r        
      |                                      r                             r        
      |                                      r                             r        
      |                                      r  r     r           r        r        
     -+---------------------------------------------------------------------------> 
      |  21 22 23 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20    
                                                                                    
     h  rx (MiB)   tx (MiB)      h  rx (MiB)   tx (MiB)      h  rx (MiB)   tx (MiB) 
    21       0.00       0.00    05       0.00       0.00    13      32.19      10.98
    22       0.00       0.00    06       0.00       0.00    14      65.78      15.07
    23       0.00       0.00    07       0.00       0.00    15      30.59       7.33
    00       0.00       0.00    08       0.00       0.00    16      89.40       9.08
    01       0.00       0.00    09     661.91      40.87    17       7.20       2.81
    02       0.00       0.00    10      90.79      12.23    18       3.09       1.83
    03       0.00       0.00    11      46.40      14.45    19     434.38      13.74
    04       0.00       0.00    12      79.43       7.93    20       7.28       2.88
    [2.4.4-RELEASE][admin@pfsense]/root/scripts:
    

  • Galactic Empire

    Just sits at Loading graph with safari & chrome for me after nothing showing then a reset graphing data.

    Nothing showed at all straight after the update.

    Screenshot 2019-05-22 at 20.29.09.png



  • Does it behave the same way on different browsers?


  • Galactic Empire

    Yup safari & chrome, but not Firefox.

    Just also noticed you don't see the Hourly Daily Monthly Top 10 Days either.

    Screenshot 2019-05-22 at 20.37.01.png


  • Galactic Empire

    Looks like it may be associated with the user manager bug.

    https://redmine.pfsense.org/issues/9541

    Firefox with my freeradius user id I get the Loading graph.

    Safari with the local admin user shows the graph.



  • @KOM

    It yields the same result regardless of the browser used.

    @NogBadTheBad

    Interesting... when logged as a normal user with admin privileges, the screen just sits at "Loading Graph..." (as noted above). When logged in using the actual admin account, the graph works. So yes, it must have something to do with the user manager.

    Traffic Totals - Working.png



  • I'm experiencing the same issue when using a non-admin user in all browsers.

    The data is all there in the response body but the graph and data table are not rendering.

    console failure:

    Uncaught TypeError: Cannot read property 'substring' of undefined
        at Object.success (status_traffic_totals.php:475)
        at i (jquery-1.12.0.min.js?v=1538660271:2)
        at Object.fireWith [as resolveWith] (jquery-1.12.0.min.js?v=1538660271:2)
        at y (jquery-1.12.0.min.js?v=1538660271:4)
        at XMLHttpRequest.c (jquery-1.12.0.min.js?v=1538660271:4)
    

    Additionally as previously noted the Hourly Daily Monthly Top 10 Days options are also missing on all users.



  • Interesting, I don't even see a Traffic Totals menu entry under Status, or anywhere for that matter. Running 2.4.4-p3 (upgraded from 2.4.4-p2)



  • @jlw52761 It's a package that you have to add, Status_Traffic_Totals.



  • @KOM Got it, thanks!


  • Rebel Alliance Developer Netgate

    Which specific privileges do the user have which can't load the graph?

    The WebCfg - Status: Traffic Totals (page-status-monitoring) privilege appears to be correct.

    What, if anything, shows in the main system log when a non-admin user attempts to access the page?


  • Galactic Empire

    @jimp said in Traffic Totals: Broken in 2.4.4-p3 [Cause Identified]:

    Which specific privileges do the user have which can't load the graph?

    The WebCfg - Status: Traffic Totals (page-status-monitoring) privilege appears to be correct.

    What, if anything, shows in the main system log when a non-admin user attempts to access the page?

    I only have the single user.

    From the FreeRadius users:-

    "andy" Cleartext-Password := "password"
    
    	Class := "admins",
    	Service-Type := "Administrative-User"
    

    Screenshot 2019-05-24 at 20.10.39.png

    Screenshot 2019-05-24 at 20.05.51.png

    Screenshot 2019-05-24 at 20.06.20.png


  • Rebel Alliance Developer Netgate

    Actually, I see what the problem is. The way the package uses display_top_tabs() to generate tabs that don't link to actual pages, just JS anchors, doesn't like the new stronger page validation used by the privilege system. And since they aren't actual files that exist, there isn't a way to allow access to them, so the privilege system filters out the tabs.

    I don't see a quick way to fix this in the package privileges, but maybe the package maintainer can figure out a better way to generate the tab anchor links.

    I'll see if I can come up with a safe way to test for this in the privilege matching system.


  • Galactic Empire

    Thanks Jim ☺


  • Rebel Alliance Developer Netgate


  • Rebel Alliance Developer Netgate

    I think I've got this fixed but it'll take a patch in the base system, not the package.

    You can install the System Patches package and then create an entry for bdbd8534eef5b93370065340de225a1cd5e5faa8 to apply the fix and try it out. I did test against several different attack methods to ensure it didn't lower the security, and it allows the JS anchor links as expected.



  • @jimp

    Thanks for the patch; it fixed the issue. I also applied the User Manager bug patch.

    I was prompted to install the User Manager patch after seeing Tom's latest video.



  • @jimp said in Traffic Totals: Broken in 2.4.4-p3 [SOLVED WITH PATCH]:

    I think I've got this fixed but it'll take a patch in the base system, not the package.

    You can install the System Patches package and then create an entry for bdbd8534eef5b93370065340de225a1cd5e5faa8 to apply the fix and try it out. I did test against several different attack methods to ensure it didn't lower the security, and it allows the JS anchor links as expected.

    @jimp Thanks for this. One question though. Testing the patch indicates it cannot be backed-out cleanly. Is this something we should be concerned about?

    /usr/bin/patch --directory=/ -f -p2 -i /var/patches/5cebf5d50a1d0.patch --check --reverse --ignore-whitespace
    
    Hmm...  Looks like a unified diff to me...
    The text leading up to this was:
    --------------------------
    |From bdbd8534eef5b93370065340de225a1cd5e5faa8 Mon Sep 17 00:00:00 2001
    |From: jim-p 
    |Date: Fri, 24 May 2019 15:47:43 -0400
    |Subject: [PATCH] Privilege matching -- allow JS anchors. Fixes #9550
    |
    |Attempts to detect a special case where a file does not actually
    |exist, and yet should be allowed since it is used by JavaScript.
    |
    |So long as the anchor name doesn't contain any characters that might let
    |it evade other checks, allow it through.
    |---
    | src/etc/inc/auth_func.inc | 10 ++++++++++
    | 1 file changed, 10 insertions(+)
    |
    |diff --git a/src/etc/inc/auth_func.inc b/src/etc/inc/auth_func.inc
    |index 795ccdbdf1..e142e4f42c 100644
    |--- a/src/etc/inc/auth_func.inc
    |+++ b/src/etc/inc/auth_func.inc
    --------------------------
    Patching file etc/inc/auth_func.inc using Plan A...
    Hunk #1 failed at 42.
    1 out of 1 hunks failed while patching etc/inc/auth_func.inc
    done
    

  • LAYER 8 Netgate

    When you test a patch it shows its current status when compared to the file(s) to be patched.

    Before you apply it will say:

    Patch can be applied cleanly (detail)
    Patch can NOT be reverted cleanly (detail)

    After it is applied it will say:

    Patch can NOT be applied cleanly (detail)
    Patch can be reverted cleanly (detail)



  • @Derelict, ah. okay then.
    Thank you.


Log in to reply