diff options
| author | jim-p <jimp@netgate.com> | 2019-01-29 14:15:09 -0500 |
|---|---|---|
| committer | jim-p <jimp@netgate.com> | 2019-01-29 14:23:05 -0500 |
| commit | 5c4fef46ab9fd6be569a2c18185062bb34d0eb37 (patch) | |
| tree | 4dcedac7c722422c8f54b830e1d1ef44439dadef | |
| parent | 9712ce4ef2b5228aed2af3c84d9d8a5df480fbc1 (diff) | |
| download | pfsense-5c4fef46ab9fd6be569a2c18185062bb34d0eb37.zip pfsense-5c4fef46ab9fd6be569a2c18185062bb34d0eb37.tar.gz | |
Add validation and encoding to various firewall advanced values. Issue #9294
(cherry picked from commit 62baf0777924b2c21c832db3c0040988e7451c61)
| -rw-r--r-- | src/usr/local/www/firewall_rules_edit.php | 96 | ||||
| -rw-r--r-- | src/usr/local/www/guiconfig.inc | 38 |
2 files changed, 85 insertions, 49 deletions
diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php index ac86dc8..7ca3624 100644 --- a/src/usr/local/www/firewall_rules_edit.php +++ b/src/usr/local/www/firewall_rules_edit.php @@ -61,6 +61,24 @@ $icmplookup = array( 'inet46' => array('name' => 'IPv4+6', 'icmptypes' => $icmptypes46, 'helpmsg' => sprintf(gettext('For ICMP rules on IPv4+IPv6, one or more of these ICMP subtypes may be specified. (Other ICMP subtypes are only valid under IPv4 %1$sor%2$s IPv6, not both)'), '<i>', '</i>')) ); +$statetype_values = array( + 'keep state' => gettext('Keep'), + 'sloppy state' => gettext('Sloppy'), + 'synproxy state' => gettext('Synproxy'), + 'none' => gettext('None'), +); + +$vlanprio = array( + "" => "none", + "bk" => "Background (BK, 0)", + "be" => "Best Effort (BE, 1)", + "ee" => "Excellent Effort (EE, 2)", + "ca" => "Critical Applications (CA, 3)", + "vi" => "Video (VI, 4)", + "vo" => "Voice (VO, 5)", + "ic" => "Internetwork Control (IC, 6)", + "nc" => "Network Control (NC, 7)"); + if (isset($_POST['referer'])) { $referer = $_POST['referer']; } else { @@ -310,6 +328,20 @@ if (isset($_REQUEST['dup']) && is_numericint($_REQUEST['dup'])) { read_altq_config(); /* XXX: */ $qlist =& get_unique_queue_list(); + +$list = array('' => 'none'); +if (!is_array($qlist)) { + $qlist = array(); +} + +foreach ($qlist as $q => $qkey) { + if (isset($ifdisp[$q])) { + $list[$q] = $ifdisp[$q]; + } else { + $list[$q] = $q; + } +} + read_dummynet_config(); /* XXX: */ $dnqlist =& get_unique_dnqueue_list(); $a_gatewaygroups = return_gateway_groups_array(); @@ -764,6 +796,39 @@ if ($_POST['save']) { } } + if ($_POST['dscp'] && !in_array($_POST['dscp'], $firewall_rules_dscp_types)) { + $input_errors[] = gettext("Invalid DSCP value."); + } + if ($_POST['tag'] && !is_validaliasname($_POST['tag'])) { + $input_errors[] = gettext("Invalid tag value."); + } + if ($_POST['tagged'] && !is_validaliasname($_POST['tagged'])) { + $input_errors[] = gettext("Invalid tagged value."); + } + if ($_POST['statetype'] && !array_key_exists($_POST['statetype'], $statetype_values)) { + $input_errors[] = gettext("Invalid State Type."); + } + if ($_POST['vlanprio'] && !in_array($_POST['vlanprio'], $vlanprio)) { + $input_errors[] = gettext("Invalid VLAN Prio."); + } + if ($_POST['vlanprioset'] && !in_array($_POST['vlanprioset'], $vlanprio)) { + $input_errors[] = gettext("Invalid VLAN Prio Set."); + } + + if ($_POST['ackqueue'] && !array_key_exists($_POST['ackqueue'], $list)) { + $input_errors[] = gettext("Invalid ACK Queue."); + } + if ($_POST['defaultqueue'] && !array_key_exists($_POST['defaultqueue'], $list)) { + $input_errors[] = gettext("Invalid Default Queue."); + } + + if ($_POST['dnpipe'] && !in_array($_POST['dnpipe'], $dnqlist)) { + $input_errors[] = gettext("Invalid In Pipe."); + } + if ($_POST['pdnpipe'] && !in_array($_POST['pdnpipe'], $dnqlist)) { + $input_errors[] = gettext("Invalid Out Pipe."); + } + // Allow extending of the firewall edit page and include custom input validation pfSense_handle_custom_code("/usr/local/pkg/firewall_rules/input_validation"); @@ -1572,12 +1637,7 @@ $section->addInput(new Form_Select( 'statetype', 'State type', (isset($pconfig['statetype'])) ? $pconfig['statetype'] : "keep state", - array( - 'keep state' => gettext('Keep'), - 'sloppy state' => gettext('Sloppy'), - 'synproxy state' => gettext('Synproxy'), - 'none' => gettext('None'), - ) + $statetype_values ))->setHelp('Select which type of state tracking mechanism to use. If in doubt, use keep state.%1$s', '<br /><span></span>'); @@ -1588,17 +1648,6 @@ $section->addInput(new Form_Checkbox( $pconfig['nosync'] ))->setHelp('This does NOT prevent the rule from being overwritten on Slave.'); -$vlanprio = array( - "" => "none", - "bk" => "Background (BK, 0)", - "be" => "Best Effort (BE, 1)", - "ee" => "Excellent Effort (EE, 2)", - "ca" => "Critical Applications (CA, 3)", - "vi" => "Video (VI, 4)", - "vo" => "Voice (VO, 5)", - "ic" => "Internetwork Control (IC, 6)", - "nc" => "Network Control (NC, 7)"); - $section->addInput(new Form_Select( 'vlanprio', 'VLAN Prio', @@ -1684,19 +1733,6 @@ $section->add($group)->setHelp('Choose the Out queue/Virtual interface only if ' $group = new Form_Group('Ackqueue / Queue'); -$list = array('' => 'none'); -if (!is_array($qlist)) { - $qlist = array(); -} - -foreach ($qlist as $q => $qkey) { - if (isset($ifdisp[$q])) { - $list[$q] = $ifdisp[$q]; - } else { - $list[$q] = $q; - } -} - $group->add(new Form_Select( 'ackqueue', 'Ackqueue', diff --git a/src/usr/local/www/guiconfig.inc b/src/usr/local/www/guiconfig.inc index 6d7c12d..2f70ab6 100644 --- a/src/usr/local/www/guiconfig.inc +++ b/src/usr/local/www/guiconfig.inc @@ -452,67 +452,67 @@ function insert_word_breaks_in_domain_name($domain_name) { function firewall_check_for_advanced_options(&$item) { $item_set = ""; if ($item['os']) { - $item_set .= "os {$item['os']} "; + $item_set .= "os " . htmlspecialchars($item['os']) . " "; } if ($item['dscp']) { - $item_set .= "dscp {$item['dscp']} "; + $item_set .= "dscp " . htmlspecialchars($item['dscp']) . " "; } if ($item['max']) { - $item_set .= "max {$item['max']} "; + $item_set .= "max " . htmlspecialchars($item['max']) . " "; } if ($item['max-src-nodes']) { - $item_set .= "max-src-nodes {$item['max-src-nodes']} "; + $item_set .= "max-src-nodes " . htmlspecialchars($item['max-src-nodes']) . " "; } if ($item['max-src-conn']) { - $item_set .= "max-src-conn {$item['max-src-conn']} "; + $item_set .= "max-src-conn " . htmlspecialchars($item['max-src-conn']) . " "; } if ($item['max-src-states']) { - $item_set .= "max-src-states {$item['max-src-states']} "; + $item_set .= "max-src-states " . htmlspecialchars($item['max-src-states']) . " "; } if (isset($item['nopfsync'])) { $item_set .= "nopfsync "; } if ($item['statetype'] != "keep state" && $item['statetype'] != "") { - $item_set .= "statetype {$item['statetype']} "; + $item_set .= "statetype " . htmlspecialchars($item['statetype']) . " "; } if ($item['statetimeout']) { - $item_set .= "statetimeout {$item['statetimeout']} "; + $item_set .= "statetimeout " . htmlspecialchars($item['statetimeout']) . " "; } if (isset($item['nosync'])) { $item_set .= "no XMLRPC Sync "; } if ($item['max-src-conn-rate']) { - $item_set .= "max-src-conn-rate {$item['max-src-conn-rate']} "; + $item_set .= "max-src-conn-rate " . htmlspecialchars($item['max-src-conn-rate']) . " "; } if ($item['max-src-conn-rates']) { - $item_set .= "max-src-conn-rates {$item['max-src-conn-rates']} "; + $item_set .= "max-src-conn-rates " . htmlspecialchars($item['max-src-conn-rates']) . " "; } if ($item['vlanprio']) { - $item_set .= "vlanprio {$item['vlanprio']} "; + $item_set .= "vlanprio " . htmlspecialchars($item['vlanprio']) . " "; } if ($item['vlanprioset']) { - $item_set .= "vlanprioset {$item['vlanprioset']} "; + $item_set .= "vlanprioset " . htmlspecialchars($item['vlanprioset']) . " "; } if ($item['gateway']) { - $item_set .= "gateway {$item['gateway']} "; + $item_set .= "gateway " . htmlspecialchars($item['gateway']) . " "; } if ($item['dnpipe']) { - $item_set .= "limiter {$item['dnpipe']} "; + $item_set .= "limiter " . htmlspecialchars($item['dnpipe']) . " "; } if ($item['pdnpipe']) { - $item_set .= "limiter {$item['pdnpipe']} "; + $item_set .= "limiter " . htmlspecialchars($item['pdnpipe']) . " "; } if ($item['ackqueue']) { - $item_set .= "ackqueue {$item['ackqueue']} "; + $item_set .= "ackqueue " . htmlspecialchars($item['ackqueue']) . " "; } if ($item['defaultqueue']) { - $item_set .= "defaultqueue {$item['defaultqueue']} "; + $item_set .= "defaultqueue " . htmlspecialchars($item['defaultqueue']) . " "; } if ($item['tag']) { - $item_set .= "tag {$item['tag']} "; + $item_set .= "tag " . htmlspecialchars($item['tag']) . " "; } if ($item['tagged']) { - $item_set .= "tagged {$item['tagged']} "; + $item_set .= "tagged " . htmlspecialchars($item['tagged']) . " "; } if (isset($item['allowopts'])) { $item_set .= "allowopts "; |
