diff options
| author | Ermal Luçi <eri@pfsense.org> | 2014-01-07 07:59:35 -0800 |
|---|---|---|
| committer | Ermal Luçi <eri@pfsense.org> | 2014-01-07 07:59:35 -0800 |
| commit | 33e7287481352f953d50e64a364a0d52de6f3c9c (patch) | |
| tree | af06e68dc9fed03732789f81d750221575616336 | |
| parent | 6b6607316481aacaa055f8e4bce2ce1e520d3b1b (diff) | |
| parent | 7d14b000370166f0d18d212ff5bdb8b2733eb0c5 (diff) | |
| download | pfsense-33e7287481352f953d50e64a364a0d52de6f3c9c.zip pfsense-33e7287481352f953d50e64a364a0d52de6f3c9c.tar.gz | |
Merge pull request #880 from phil-davis/master
Check for vertical bars in alias detail descriptions
| -rwxr-xr-x | usr/local/www/firewall_aliases_edit.php | 56 | ||||
| -rwxr-xr-x | usr/local/www/firewall_aliases_import.php | 4 |
2 files changed, 47 insertions, 13 deletions
diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php index 82c3dbd..7bef3d6 100755 --- a/usr/local/www/firewall_aliases_edit.php +++ b/usr/local/www/firewall_aliases_edit.php @@ -54,7 +54,7 @@ $pgtitle = array(gettext("Firewall"),gettext("Aliases"),gettext("Edit")); // Keywords not allowed in names $reserved_keywords = array("all", "pass", "block", "out", "queue", "max", "min", "pptp", "pppoe", "L2TP", "OpenVPN", "IPsec"); -// Add all Load balance names to resrved_keywords +// Add all Load balance names to reserved_keywords if (is_array($config['load_balancer']['lbpool'])) foreach ($config['load_balancer']['lbpool'] as $lbpool) $reserved_keywords[] = $lbpool['name']; @@ -124,6 +124,7 @@ if (isset($id) && $a_aliases[$id]) { if ($_POST) { unset($input_errors); + $vertical_bar_err_text = gettext("Vertical bars (|) at start or end, or double in the middle of descriptions not allowed. Descriptions have been cleaned. Check and save again."); /* input validation */ @@ -173,7 +174,7 @@ if ($_POST) { $address = ""; $isfirst = 0; - /* item is a url type */ + /* item is a url table type */ if ($_POST['address0']) { /* fetch down and add in */ $_POST['address0'] = trim($_POST['address0']); @@ -186,14 +187,22 @@ if ($_POST) { } elseif (! process_alias_urltable($alias['name'], $alias['url'], 0, true)) { $input_errors[] = gettext("Unable to fetch usable data."); } - if ($_POST["detail0"] <> "") - $final_address_details[] = $_POST["detail0"]; - else + if ($_POST["detail0"] <> "") { + if ((strpos($_POST["detail0"], "||") === false) && (substr($_POST["detail0"], 0, 1) != "|") && (substr($_POST["detail0"], -1, 1) != "|")) { + $final_address_details[] = $_POST["detail0"]; + } else { + /* Remove leading and trailing vertical bars and replace multiple vertical bars with single, */ + /* and put in the output array so the text is at least redisplayed for the user. */ + $final_address_details[] = preg_replace('/\|\|+/', '|', trim($_POST["detail0"], "|")); + $input_errors[] = $vertical_bar_err_text; + } + } else $final_address_details[] = sprintf(gettext("Entry added %s"), date('r')); } } else if ($_POST['type'] == "url" || $_POST['type'] == "url_ports") { $isfirst = 0; $address_count = 2; + $desc_fmt_err_found = false; /* item is a url type */ for($x=0; $x<4999; $x++) { @@ -217,9 +226,19 @@ if ($_POST) { $alias['aliasurl'] = array(); $alias['aliasurl'][] = $_POST['address' . $x]; - if ($_POST["detail{$x}"] <> "") - $final_address_details[] = $_POST["detail{$x}"]; - else + if ($_POST["detail{$x}"] <> "") { + if ((strpos($_POST["detail{$x}"], "||") === false) && (substr($_POST["detail{$x}"], 0, 1) != "|") && (substr($_POST["detail{$x}"], -1, 1) != "|")) { + $final_address_details[] = $_POST["detail{$x}"]; + } else { + /* Remove leading and trailing vertical bars and replace multiple vertical bars with single, */ + /* and put in the output array so the text is at least redisplayed for the user. */ + $final_address_details[] = preg_replace('/\|\|+/', '|', trim($_POST["detail{$x}"], "|")); + if (!$desc_fmt_err_found) { + $input_errors[] = $vertical_bar_err_text; + $desc_fmt_err_found = true; + } + } + } else $final_address_details[] = sprintf(gettext("Entry added %s"), date('r')); if(file_exists("{$temp_filename}/aliases")) { @@ -257,11 +276,13 @@ if ($_POST) { } } } + unset($desc_fmt_err_found); if ($_POST['type'] == "url_ports") $address = group_ports($address); } else { /* item is a normal alias type */ $wrongaliases = ""; + $desc_fmt_err_found = false; for($x=0; $x<4999; $x++) { if($_POST["address{$x}"] <> "") { $_POST["address{$x}"] = trim($_POST["address{$x}"]); @@ -290,16 +311,29 @@ if ($_POST) { $tmpaddress .= "/" . $_POST["address_subnet{$x}"]; $address[] = $tmpaddress; } - if ($_POST["detail{$x}"] <> "") - $final_address_details[] = $_POST["detail{$x}"]; - else + if ($_POST["detail{$x}"] <> "") { + if ((strpos($_POST["detail{$x}"], "||") === false) && (substr($_POST["detail{$x}"], 0, 1) != "|") && (substr($_POST["detail{$x}"], -1, 1) != "|")) { + $final_address_details[] = $_POST["detail{$x}"]; + } else { + /* Remove leading and trailing vertical bars and replace multiple vertical bars with single, */ + /* and put in the output array so the text is at least redisplayed for the user. */ + $final_address_details[] = preg_replace('/\|\|+/', '|', trim($_POST["detail{$x}"], "|")); + if (!$desc_fmt_err_found) { + $input_errors[] = $vertical_bar_err_text; + $desc_fmt_err_found = true; + } + } + } else $final_address_details[] = sprintf(gettext("Entry added %s"), date('r')); } } + unset($desc_fmt_err_found); if ($wrongaliases <> "") $input_errors[] = sprintf(gettext('The alias(es): %s cannot be nested because they are not of the same type.'), $wrongaliases); } + unset($vertical_bar_err_text); + // Allow extending of the firewall edit page and include custom input validation pfSense_handle_custom_code("/usr/local/pkg/firewall_aliases_edit/input_validation"); diff --git a/usr/local/www/firewall_aliases_import.php b/usr/local/www/firewall_aliases_import.php index 6de2965..276dfb5 100755 --- a/usr/local/www/firewall_aliases_import.php +++ b/usr/local/www/firewall_aliases_import.php @@ -98,7 +98,7 @@ if($_POST['aliasimport'] <> "") { $impip = $implinea[0]; $impdesc = trim($implinea[1]); if (strlen($impdesc) < 200) { - if (strpos($impdesc, "||") === false) { + if ((strpos($impdesc, "||") === false) && (substr($impdesc, 0, 1) != "|") && (substr($impdesc, -1, 1) != "|")) { if (is_iprange($impip)) { list($startip, $endip) = explode('-', $impip); $rangesubnets = ip_range_to_subnet_array($startip, $endip); @@ -114,7 +114,7 @@ if($_POST['aliasimport'] <> "") { } else { if (!$desc_fmt_err_found) { - $input_errors[] = gettext("Descriptions may not contain double vertical bar ||."); + $input_errors[] = gettext("Descriptions may not start or end with vertical bar (|) or contain double vertical bar ||."); $desc_fmt_err_found = true; } } |
