diff options
| author | Renato Botelho <garga@FreeBSD.org> | 2014-11-18 12:03:21 -0200 |
|---|---|---|
| committer | Renato Botelho <garga@FreeBSD.org> | 2014-11-18 12:03:21 -0200 |
| commit | f376043cf3d29af7600776e38930c80cac5d5963 (patch) | |
| tree | e951d012f02af60f49ed826d0a442b46efd46c55 | |
| parent | 8105ffa61c2d5aba42fa0ceac92ae7f9f80f8b19 (diff) | |
| download | pfsense-f376043cf3d29af7600776e38930c80cac5d5963.zip pfsense-f376043cf3d29af7600776e38930c80cac5d5963.tar.gz | |
Define a local boolean var for showact to avoid security issues, also pass order parameter trough htmlspecialchars()
| -rw-r--r-- | usr/local/www/widgets/widgets/captive_portal_status.widget.php | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/usr/local/www/widgets/widgets/captive_portal_status.widget.php b/usr/local/www/widgets/widgets/captive_portal_status.widget.php index 245b65b..53c6588 100644 --- a/usr/local/www/widgets/widgets/captive_portal_status.widget.php +++ b/usr/local/www/widgets/widgets/captive_portal_status.widget.php @@ -62,11 +62,13 @@ $a_cp =& $config['captiveportal']; $cpdb_all = array(); +$showact = isset($_GET['showact']) ? 1 : 0; + foreach ($a_cp as $cpzone => $cp) { $cpdb = captiveportal_read_db(); foreach ($cpdb as $cpent) { $cpent[10] = $cpzone; - if ($_GET['showact']) + if ($showact == 1) $cpent[11] = captiveportal_get_last_activity($cpent[2]); $cpdb_all[] = $cpent; } @@ -90,12 +92,12 @@ if ($_GET['order']) { ?> <table class="sortable" name="sortabletable" id="sortabletable" width="100%" border="0" cellpadding="0" cellspacing="0" summary="captive portal status"> <tr> - <td class="listhdrr"><a href="?order=ip&showact=<?=$_GET['showact'];?>">IP address</a></td> - <td class="listhdrr"><a href="?order=mac&showact=<?=$_GET['showact'];?>">MAC address</a></td> - <td class="listhdrr"><a href="?order=user&showact=<?=$_GET['showact'];?>"><?=gettext("Username");?></a></td> - <?php if ($_GET['showact']): ?> - <td class="listhdrr"><a href="?order=start&showact=<?=$_GET['showact'];?>"><?=gettext("Session start");?></a></td> - <td class="listhdrr"><a href="?order=start&showact=<?=$_GET['showact'];?>"><?=gettext("Last activity");?></a></td> + <td class="listhdrr"><a href="?order=ip&showact=<?=$showact;?>">IP address</a></td> + <td class="listhdrr"><a href="?order=mac&showact=<?=$showact;?>">MAC address</a></td> + <td class="listhdrr"><a href="?order=user&showact=<?=$showact;?>"><?=gettext("Username");?></a></td> + <?php if ($showact == 1): ?> + <td class="listhdrr"><a href="?order=start&showact=<?=$showact;?>"><?=gettext("Session start");?></a></td> + <td class="listhdrr"><a href="?order=start&showact=<?=$showact;?>"><?=gettext("Last activity");?></a></td> <?php endif; ?> </tr> <?php foreach ($cpdb_all as $cpent): ?> @@ -103,12 +105,12 @@ if ($_GET['order']) { <td class="listlr"><?=$cpent[2];?></td> <td class="listr"><?=$cpent[3];?> </td> <td class="listr"><?=$cpent[4];?> </td> - <?php if ($_GET['showact']): ?> + <?php if ($showact == 1): ?> <td class="listr"><?=htmlspecialchars(date("m/d/Y H:i:s", $cpent[0]));?></td> <td class="listr"><?php if ($cpent[11] && ($cpent[11] > 0)) echo htmlspecialchars(date("m/d/Y H:i:s", $cpent[11]));?></td> <?php endif; ?> <td valign="middle" class="list nowrap"> - <a href="?order=<?=$_GET['order'];?>&showact=<?=$_GET['showact'];?>&act=del&zone=<?=$cpent[10];?>&id=<?=$cpent[5];?>" onclick="return confirm('Do you really want to disconnect this client?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="x" /></a></td> + <a href="?order=<?=htmlspecialchars($_GET['order']);?>&showact=<?=$showact;?>&act=del&zone=<?=$cpent[10];?>&id=<?=$cpent[5];?>" onclick="return confirm('Do you really want to disconnect this client?')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" alt="x" /></a></td> </tr> <?php endforeach; ?> -</table>
\ No newline at end of file +</table> |
