diff options
| author | Evgeny Yurchenko <ey@tm-k.com> | 2011-06-17 00:41:24 -0400 |
|---|---|---|
| committer | Evgeny Yurchenko <ey@tm-k.com> | 2011-06-17 00:41:24 -0400 |
| commit | 21cc2faa85e612169d98deca1f72fce9ff9260a5 (patch) | |
| tree | b88f4e7fafa20dd3e43cfbee000752b9e1fc5100 | |
| parent | 9d2d65f3a3e0478b75a42086167c6520d31778c7 (diff) | |
| download | pfsense-21cc2faa85e612169d98deca1f72fce9ff9260a5.zip pfsense-21cc2faa85e612169d98deca1f72fce9ff9260a5.tar.gz | |
Bug #1437. Check for invalid characters in the fields for ca, cert and csr.
| -rw-r--r-- | usr/local/www/system_camanager.php | 14 | ||||
| -rw-r--r-- | usr/local/www/system_certmanager.php | 14 |
2 files changed, 26 insertions, 2 deletions
diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php index 052e2e4..a4b60af 100644 --- a/usr/local/www/system_camanager.php +++ b/usr/local/www/system_camanager.php @@ -154,7 +154,7 @@ if ($act == "expkey") { if ($_POST) { - unset($input_errors); + $input_errors = array(); $pconfig = $_POST; /* input validation */ @@ -185,6 +185,18 @@ if ($_POST) { } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + if ($pconfig['method'] != "existing") + /* Make sure we do not have invalid characters in the fields for the certificate */ + for ($i = 0; $i < count($reqdfields); $i++) { + if ($reqdfields[$i] == 'dn_email'){ + if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["dn_email"])) + array_push($input_errors, "The field 'Distinguished name Email Address' contains invalid characters."); + }else if ($reqdfields[$i] == 'dn_commonname'){ + if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["dn_commonname"])) + array_push($input_errors, "The field 'Distinguished name Common Name' contains invalid characters."); + }else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters."); + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 470f0cd..439969d 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -153,7 +153,7 @@ if ($act == "csr") { if ($_POST) { if ($_POST['save'] == gettext("Save")) { - unset($input_errors); + $input_errors = array(); $pconfig = $_POST; /* input validation */ @@ -206,6 +206,18 @@ if ($_POST) { } do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + if ($pconfig['method'] != "import") + /* Make sure we do not have invalid characters in the fields for the certificate */ + for ($i = 0; $i < count($reqdfields); $i++) { + if (preg_match('/email/', $reqdfields[$i])){ /* dn_email or csr_dn_name */ + if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field 'Distinguished name Email Address' contains invalid characters."); + }else if (preg_match('/commonname/', $reqdfields[$i])){ /* dn_commonname or csr_dn_commonname */ + if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field 'Distinguished name Common Name' contains invalid characters."); + }else if (preg_match("/[\!\@\#\$\%\^\(\)\~\?\>\<\&\/\\\,\.\"\']/", $_POST["$reqdfields[$i]"])) + array_push($input_errors, "The field '" . $reqdfieldsn[$i] . "' contains invalid characters."); + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { |
