diff options
author | Bill Marquette <billm@pfsense.org> | 2008-05-17 18:16:11 +0000 |
---|---|---|
committer | Bill Marquette <billm@pfsense.org> | 2008-05-17 18:16:11 +0000 |
commit | e8d93059c13e9166734bbf7c8fdb279c4deddd2a (patch) | |
tree | 0f34daa69a592cba4f7c6f6863477ce2c24c9efa | |
parent | 458585c1066117d9658ce93b9bb7062d8d306540 (diff) | |
download | pfsense-e8d93059c13e9166734bbf7c8fdb279c4deddd2a.zip pfsense-e8d93059c13e9166734bbf7c8fdb279c4deddd2a.tar.gz |
Ticket #1674
No need to use escapeshellargs for everything, use is_ipaddr to validate input instead
while here move head.inc below the ajax calls - no need to send back more data than necessary
-rwxr-xr-x | usr/local/www/diag_dump_states.php | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/usr/local/www/diag_dump_states.php b/usr/local/www/diag_dump_states.php index 5ee7d13..2b3035f 100755 --- a/usr/local/www/diag_dump_states.php +++ b/usr/local/www/diag_dump_states.php @@ -28,31 +28,34 @@ require_once("guiconfig.inc"); -$pgtitle = array("Diagnostics","Show States"); -include("head.inc"); - -$srcip = escapeshellarg($_GET['srcip']); -$dstip = escapeshellarg($_GET['dstip']); -$action = escapeshellarg($_GET['action']); -$filter = escapeshellarg($_GET['filter']); /* handle AJAX operations */ if($_GET['action']) { - if($action == "remove") { - $retval = mwexec("/sbin/pfctl -k '{$srcip}' -k '{$dstip}'"); - echo "|{$srcip}|{$dstip}|{$retval}|"; + if($_GET['action'] == "remove") { + $srcip = $_GET['srcip']; + $dstip = $_GET['dstip']; + if (is_ipaddr($srcip) and is_ipaddr($dstip)) { + $retval = mwexec("/sbin/pfctl -k '{$srcip}' -k '{$dstip}'"); + echo "|{$srcip}|{$dstip}|{$retval}|"; + } else { + echo "invalid input"; + } exit; } } /* get our states */ if($_GET['filter']) { + $filter = escapeshellarg($_GET['filter']); exec("/sbin/pfctl -s state | grep " . escapeshellarg($_GET['filter']), $states); } else { exec("/sbin/pfctl -s state", $states); } +$pgtitle = array("Diagnostics","Show States"); +include("head.inc"); + ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC" onload="<?=$jsevents["body"]["onload"];?>"> |