summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2015-06-16 10:53:04 -0400
committerjim-p <jimp@pfsense.org>2015-06-16 10:53:04 -0400
commitd213c48520c6d694e660b208340e4e632e153585 (patch)
tree5475b31f9415204e5c883a1d01a1459b5d309f8c
parent621baeb604d1125e10222a70ba9a7efa85eff22b (diff)
downloadpfsense-d213c48520c6d694e660b208340e4e632e153585.zip
pfsense-d213c48520c6d694e660b208340e4e632e153585.tar.gz
Fix some low-hanging potential security issues.
-rw-r--r--usr/local/www/services_ntpd.php2
-rw-r--r--usr/local/www/system_firmware_settings.php6
-rw-r--r--usr/local/www/vpn_openvpn_csc.php8
3 files changed, 8 insertions, 8 deletions
diff --git a/usr/local/www/services_ntpd.php b/usr/local/www/services_ntpd.php
index 88d3f20..25a380f 100644
--- a/usr/local/www/services_ntpd.php
+++ b/usr/local/www/services_ntpd.php
@@ -295,7 +295,7 @@ include("head.inc");
}
echo ">\n";
- echo "<input name=\"server{$i}\" class=\"formfld unknown\" id=\"server{$i}\" size=\"30\" value=\"{$timeservers[$i]}\" type=\"text\" />&emsp;";
+ echo "<input name=\"server{$i}\" class=\"formfld unknown\" id=\"server{$i}\" size=\"30\" value=\"" . htmlspecialchars($timeservers[$i]) . "\" type=\"text\" />&emsp;";
echo "\n<input name=\"servprefer{$i}\" class=\"formcheckbox\" id=\"servprefer{$i}\" onclick=\"CheckOffOther('servprefer{$i}', 'servselect{$i}')\" type=\"checkbox\"";
if (isset($config['ntpd']['prefer']) && isset($timeservers[$i]) && substr_count($config['ntpd']['prefer'], $timeservers[$i])) echo " checked=\"checked\"";
echo " />&nbsp;prefer&emsp;";
diff --git a/usr/local/www/system_firmware_settings.php b/usr/local/www/system_firmware_settings.php
index ec48469..3959ea6 100644
--- a/usr/local/www/system_firmware_settings.php
+++ b/usr/local/www/system_firmware_settings.php
@@ -167,7 +167,7 @@ function enable_altfirmwareurl(enable_over) {
<td class="vtable">
<input name="alturlenable" type="checkbox" id="alturlenable" value="yes" onclick="enable_altfirmwareurl()" <?php if(isset($curcfg['alturl']['enable'])) echo "checked=\"checked\""; ?> /> <?=gettext("Use an unofficial server for firmware upgrades") ?><br />
<table summary="alternative Base URL">
- <tr><td><?=gettext("Base URL:"); ?></td><td><input name="firmwareurl" type="text" class="formfld url" id="firmwareurl" size="64" value="<?php if($curcfg['alturl']['firmwareurl']) echo $curcfg['alturl']['firmwareurl']; else echo $g['']; ?>" /></td></tr>
+ <tr><td><?=gettext("Base URL:"); ?></td><td><input name="firmwareurl" type="text" class="formfld url" id="firmwareurl" size="64" value="<?php if($curcfg['alturl']['firmwareurl']) echo htmlspecialchars($curcfg['alturl']['firmwareurl']); else echo $g['']; ?>" /></td></tr>
</table>
<span class="vexpl">
<?=gettext("This is where"); ?> <?php echo $g['product_name'] ?> <?=gettext("will check for newer firmware versions when the"); ?> <a href="system_firmware_check.php"><?=gettext("System: Firmware: Auto Update"); ?></a> <?=gettext("page is viewed."); ?>
@@ -224,7 +224,7 @@ function enable_altfirmwareurl(enable_over) {
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Repository URL"); ?></td>
<td width="78%" class="vtable">
- <input name="repositoryurl" type="text" class="formfld url" id="repositoryurl" size="64" value="<?php if ($gitcfg['repositoryurl']) echo $gitcfg['repositoryurl']; ?>" />
+ <input name="repositoryurl" type="text" class="formfld url" id="repositoryurl" size="64" value="<?php if ($gitcfg['repositoryurl']) echo htmlspecialchars($gitcfg['repositoryurl']); ?>" />
<?php if($lastrepositoryurl): ?>
<br />
<?=sprintf(gettext("The most recently used repository was %s"), $lastrepositoryurl); ?>
@@ -250,7 +250,7 @@ function enable_altfirmwareurl(enable_over) {
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Branch name"); ?></td>
<td width="78%" class="vtable">
- <input name="branch" type="text" class="formfld unknown" id="branch" size="64" value="<?php if ($gitcfg['branch']) echo $gitcfg['branch']; ?>" />
+ <input name="branch" type="text" class="formfld unknown" id="branch" size="64" value="<?php if ($gitcfg['branch']) echo htmlspecialchars($gitcfg['branch']); ?>" />
<?php if($lastbranch): ?>
<br />
<?=sprintf(gettext("The most recently used branch was %s"), $lastbranch); ?>
diff --git a/usr/local/www/vpn_openvpn_csc.php b/usr/local/www/vpn_openvpn_csc.php
index 5aa6dbd..e1c84b3 100644
--- a/usr/local/www/vpn_openvpn_csc.php
+++ b/usr/local/www/vpn_openvpn_csc.php
@@ -602,7 +602,7 @@ function netbios_change() {
<span class="vexpl">
<?=gettext("Server"); ?> #1:&nbsp;
</span>
- <input name="ntp_server1" type="text" class="formfld unknown" id="ntp_server1" size="20" value="<?=$pconfig['ntp_server1'];?>" />
+ <input name="ntp_server1" type="text" class="formfld unknown" id="ntp_server1" size="20" value="<?=htmlspecialchars($pconfig['ntp_server1']);?>" />
</td>
</tr>
<tr>
@@ -610,7 +610,7 @@ function netbios_change() {
<span class="vexpl">
<?=gettext("Server"); ?> #2:&nbsp;
</span>
- <input name="ntp_server2" type="text" class="formfld unknown" id="ntp_server2" size="20" value="<?=$pconfig['ntp_server2'];?>" />
+ <input name="ntp_server2" type="text" class="formfld unknown" id="ntp_server2" size="20" value="<?=htmlspecialchars($pconfig['ntp_server2']);?>" />
</td>
</tr>
</table>
@@ -698,7 +698,7 @@ function netbios_change() {
<span class="vexpl">
<?=gettext("Server"); ?> #1:&nbsp;
</span>
- <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=$pconfig['wins_server1'];?>" />
+ <input name="wins_server1" type="text" class="formfld unknown" id="wins_server1" size="20" value="<?=htmlspecialchars($pconfig['wins_server1']);?>" />
</td>
</tr>
<tr>
@@ -706,7 +706,7 @@ function netbios_change() {
<span class="vexpl">
<?=gettext("Server"); ?> #2:&nbsp;
</span>
- <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=$pconfig['wins_server2'];?>" />
+ <input name="wins_server2" type="text" class="formfld unknown" id="wins_server2" size="20" value="<?=htmlspecialchars($pconfig['wins_server2']);?>" />
</td>
</tr>
</table>
OpenPOWER on IntegriCloud