summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPhil Davis <phil.davis@inf.org>2014-03-11 20:44:44 -0700
committerPhil Davis <phil.davis@inf.org>2014-03-11 20:44:44 -0700
commiteaa2285c06cde3f36ef3f9470c4331708cb5a061 (patch)
tree15350a976af8c19011627945c24dc19405c5afbd
parentea44d3baafba7e53317604e5fd964e3839d0d6d5 (diff)
downloadpfsense-eaa2285c06cde3f36ef3f9470c4331708cb5a061.zip
pfsense-eaa2285c06cde3f36ef3f9470c4331708cb5a061.tar.gz
Validate rule Advanced Options numeric entries
version of pull request #1021 for 2.1 branch
-rwxr-xr-xusr/local/www/firewall_rules_edit.php42
1 files changed, 35 insertions, 7 deletions
diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php
index d77fe23..d4efe51 100755
--- a/usr/local/www/firewall_rules_edit.php
+++ b/usr/local/www/firewall_rules_edit.php
@@ -45,19 +45,25 @@ require("guiconfig.inc");
require_once("filter.inc");
require("shaper.inc");
+function is_posnumericint($arg) {
+ // Note that to be safe we do not allow any leading zero - "01", "007"
+ return (is_numericint($arg) && $arg[0] != '0' && $arg > 0);
+}
+
function is_aoadv_used($rule_config) {
// Note that the user could set "tag" or "tagged" to the string "0", which is valid but empty().
+ // And if the user enters "0" in other fields, we want to present an error message, and keep the Advanced Options section open.
if ((isset($rule_config['allowopts'])) ||
(isset($rule_config['disablereplyto'])) ||
($rule_config['tag'] != "") ||
($rule_config['tagged'] != "") ||
- (!empty($rule_config['max'])) ||
- (!empty($rule_config['max-src-nodes'])) ||
- (!empty($rule_config['max-src-conn'])) ||
- (!empty($rule_config['max-src-states'])) ||
- (!empty($rule_config['max-src-conn-rate'])) ||
- (!empty($rule_config['max-src-conn-rates'])) ||
- (!empty($rule_config['statetimeout'])))
+ ($rule_config['max'] != "") ||
+ ($rule_config['max-src-nodes'] != "") ||
+ ($rule_config['max-src-conn'] != "") ||
+ ($rule_config['max-src-states'] != "") ||
+ ($rule_config['max-src-conn-rate'] != "") ||
+ ($rule_config['max-src-conn-rates'] != "") ||
+ ($rule_config['statetimeout'] != ""))
return true;
return false;
}
@@ -528,6 +534,28 @@ if ($_POST) {
$input_errors[] = gettext("You cannot specify the state timeout (advanced option) if statetype is none and no L7 container is selected.");
}
+ if (($_POST['max'] != "") && !is_posnumericint($_POST['max']))
+ $input_errors[] = gettext("Maximum state entries (advanced option) must be a positive integer");
+
+ if (($_POST['max-src-nodes'] != "") && !is_posnumericint($_POST['max-src-nodes']))
+ $input_errors[] = gettext("Maximum number of unique source hosts (advanced option) must be a positive integer");
+
+ if (($_POST['max-src-conn'] != "") && !is_posnumericint($_POST['max-src-conn']))
+ $input_errors[] = gettext("Maximum number of established connections per host (advanced option) must be a positive integer");
+
+ if (($_POST['max-src-states'] != "") && !is_posnumericint($_POST['max-src-states']))
+ $input_errors[] = gettext("Maximum state entries per host (advanced option) must be a positive integer");
+
+ if (($_POST['max-src-conn-rate'] != "") && !is_posnumericint($_POST['max-src-conn-rate']))
+ $input_errors[] = gettext("Maximum new connections per host / per second(s) (advanced option) must be a positive integer");
+
+ if (($_POST['statetimeout'] != "") && !is_posnumericint($_POST['statetimeout']))
+ $input_errors[] = gettext("State timeout (advanced option) must be a positive integer");
+
+ if ((($_POST['max-src-conn-rate'] <> "" and $_POST['max-src-conn-rates'] == "")) ||
+ (($_POST['max-src-conn-rate'] == "" and $_POST['max-src-conn-rates'] <> "")))
+ $input_errors[] = gettext("Both maximum new connections per host and the interval (per second(s)) must be specified");
+
if (!$_POST['tcpflags_any']) {
$settcpflags = array();
$outoftcpflags = array();
OpenPOWER on IntegriCloud