diff options
author | Ermal Luçi <eri@pfsense.org> | 2009-12-03 13:54:11 +0000 |
---|---|---|
committer | Ermal Luçi <eri@pfsense.org> | 2009-12-03 13:54:43 +0000 |
commit | 1e578a7f10843f470d2bf5274bbef695a14bb9d0 (patch) | |
tree | 9cb418145d2f8ab621e320f0961e971da6783715 | |
parent | b96cad97eafee7dc4b2cdb143af07f92ff35c68e (diff) | |
download | pfsense-1e578a7f10843f470d2bf5274bbef695a14bb9d0.zip pfsense-1e578a7f10843f470d2bf5274bbef695a14bb9d0.tar.gz |
Resolves #146 Add propper validation on alias usage. Allow port type aliases only on port side and other aliases in ip specifications and similar. Introduce a new function is_portoralias to ressemble the is_ipaddroralias to check for the cases.
-rw-r--r-- | etc/inc/util.inc | 52 | ||||
-rwxr-xr-x | usr/local/www/firewall_nat_edit.php | 6 | ||||
-rwxr-xr-x | usr/local/www/firewall_rules_edit.php | 14 |
3 files changed, 38 insertions, 34 deletions
diff --git a/etc/inc/util.inc b/etc/inc/util.inc index b585aa8..603ad8a 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -201,34 +201,21 @@ function is_ipaddr($ipaddr) { /* returns true if $ipaddr is a valid dotted IPv4 address or an alias thereof */ function is_ipaddroralias($ipaddr) { + global $config; - global $aliastable, $config; - - if(is_array($config['aliases']['alias'])) { - foreach($config['aliases']['alias'] as $alias) { - if($alias['name'] == $ipaddr) - return true; - } - } - - if (isset($aliastable[$ipaddr]) && is_ipaddr($aliastable[$ipaddr])) - return true; - else + if (is_alias($ipaddr)) { + if (is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['name'] == $ipaddr && $alias['type'] != "port") + return true; + } + } + return false; + } else return is_ipaddr($ipaddr); } -/* returns true if $ipaddr is a valid dotted IPv4 address or any alias */ -function is_ipaddroranyalias($ipaddr) { - - global $aliastable; - - if (isset($aliastable[$ipaddr])) - return true; - else - return is_ipaddr($ipaddr); -} - /* returns true if $subnet is a valid subnet in CIDR format */ function is_subnet($subnet) { if (!is_string($subnet)) @@ -332,6 +319,23 @@ function is_portrange($portrange) { return false; } +/* returns true if $port is a valid port number or an alias thereof */ +function is_portoralias($port) { + global $config; + + if (is_alias($port)) { + if (is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['name'] == $port && $alias['type'] == "port") + return true; + } + } + return false; + } else + return is_port($ipaddr); + +} + /* returns true if $val is a valid shaper bandwidth value */ function is_valid_shaperbw($val) { return (preg_match("/^(\d+(?:\.\d+)?)([MKG]?b|%)$/", $val)); @@ -1115,4 +1119,4 @@ function is_URL($url) { return false; } -?>
\ No newline at end of file +?> diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 635f7f4..a1e0c9c 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -125,15 +125,15 @@ if ($_POST) { /* only validate the ports if the protocol is TCP, UDP or TCP/UDP */ if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { - if (($_POST['beginport'] && !is_ipaddroralias($_POST['beginport']) && !is_port($_POST['beginport']))) { + if ($_POST['beginport'] && !is_portoralias($_POST['beginport'])) { $input_errors[] = "The start port must be an integer between 1 and 65535."; } - if (($_POST['endport'] && !is_ipaddroralias($_POST['endport']) && !is_port($_POST['endport']))) { + if ($_POST['endport'] && !is_portoralias($_POST['endport'])) { $input_errors[] = "The end port must be an integer between 1 and 65535."; } - if (($_POST['localbeginport'] && !is_ipaddroralias($_POST['localbeginport']) && !is_port($_POST['localbeginport']))) { + if ($_POST['localbeginport'] && !is_portoralias($_POST['localbeginport'])) { $input_errors[] = "The local port must be an integer between 1 and 65535."; } diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 8231692..d647ae7 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -45,7 +45,7 @@ require("guiconfig.inc"); require("filter.inc"); require("shaper.inc"); -$specialsrcdst = explode(" ", "any pptp pppoe l2tp"); +$specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn"); $ifdisp = get_configured_interface_with_descr(); foreach ($ifdisp as $kif => $kdescr) { $specialsrcdst[] = "{$kif}"; @@ -273,16 +273,16 @@ if ($_POST) { $_POST['dstendport'] = 0; } - if (($_POST['srcbeginport'] && !alias_expand($_POST['srcbeginport']) && !is_port($_POST['srcbeginport']))) { + if ($_POST['srcbeginport'] && !is_portoralias($_POST['srcbeginport'])) { $input_errors[] = "The start source port must be an alias or integer between 1 and 65535."; } - if (($_POST['srcendport'] && !alias_expand($_POST['srcendport']) && !is_port($_POST['srcendport']))) { + if ($_POST['srcendport'] && !is_portoralias($_POST['srcendport'])) { $input_errors[] = "The end source port must be an alias or integer between 1 and 65535."; } - if (($_POST['dstbeginport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstbeginport']))) { + if ($_POST['dstbeginport'] && !is_portoralias($_POST['dstbeginport'])) { $input_errors[] = "The start destination port must be an alias or integer between 1 and 65535."; } - if (($_POST['dstendport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstendport']))) { + if ($_POST['dstendport'] && !is_portoralias($_POST['dstbeginport'])) { $input_errors[] = "The end destination port must be an alias or integer between 1 and 65535."; } @@ -297,7 +297,7 @@ if ($_POST) { } if (!is_specialnet($_POST['srctype'])) { - if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) { + if (($_POST['src'] && !is_ipaddroralias($_POST['src']))) { $input_errors[] = "A valid source IP address or alias must be specified."; } if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { @@ -305,7 +305,7 @@ if ($_POST) { } } if (!is_specialnet($_POST['dsttype'])) { - if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) { + if (($_POST['dst'] && !is_ipaddroralias($_POST['dst']))) { $input_errors[] = "A valid destination IP address or alias must be specified."; } if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { |