Encode ca descr in system_camanager.php

author: jim-p <jimp@pfsense.org> 2015-07-01 11:32:50 -0400
committer: jim-p <jimp@pfsense.org> 2015-07-01 11:32:50 -0400
commit: 362ddda19060ca54c18b43c3b758b00dd253937d (patch)
tree: 009e10dcb6bdfcced28c696ac565c908dd7d6b6f
parent: 97fdd83dcb36383151bb40021ef66d907bc820c0 (diff)
download: pfsense-362ddda19060ca54c18b43c3b758b00dd253937d.zip
pfsense-362ddda19060ca54c18b43c3b758b00dd253937d.tar.gz
1 files changed, 9 insertions, 5 deletions
diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php
index cc73b51..4532b27 100644
--- a/usr/local/www/system_camanager.php
+++ b/usr/local/www/system_camanager.php
@@ -95,7 +95,7 @@ if ($act == "del") {
 	$name = $a_ca[$id]['descr'];
 	unset($a_ca[$id]);
 	write_config();
-	$savemsg = sprintf(gettext("Certificate Authority %s and its CRLs (if any) successfully deleted"), $name) . "<br />";
+	$savemsg = sprintf(gettext("Certificate Authority %s and its CRLs (if any) successfully deleted"), htmlspecialchars($name)) . "<br />";
 	pfSenseHeader("system_camanager.php");
 	exit;
 }
@@ -209,6 +209,10 @@ if ($_POST) {
 	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
 	if ($pconfig['method'] != "existing") {
 		/* Make sure we do not have invalid characters in the fields for the certificate */
+		if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) {
+			array_push($input_errors, "The field 'Descriptive Name' contains invalid characters.");
+		}
+
 		for ($i = 0; $i < count($reqdfields); $i++) {
 			if ($reqdfields[$i] == 'dn_email'){
 				if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["dn_email"]))
@@ -455,7 +459,7 @@ function method_change() {
                                                                         if ($pconfig['caref'] == $ca['refid'])
                                                                                 $selected = " selected=\"selected\"";
                                                                 ?>
-                                                                        <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=$ca['descr'];?></option>
+                                                                        <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option>
                                                                 <?php endforeach; ?>
                                                                 </select>
 							</td>
@@ -614,7 +618,7 @@ function method_change() {
 
 							$issuer_ca = lookup_ca($ca['caref']);
 							if ($issuer_ca)
-								$issuer_name = $issuer_ca['descr'];
+								$issuer_name = htmlspecialchars($issuer_ca['descr']);
 
 							// TODO : Need gray certificate icon
 
@@ -654,12 +658,12 @@ function method_change() {
 								<tr>
 									<td width="10%">&nbsp;</td>
 									<td width="20%"><?=gettext("Valid From")?>:</td>
-									<td width="70%"><?= $startdate ?></td>
+									<td width="70%"><?= htmlspecialchars($startdate) ?></td>
 								</tr>
 								<tr>
 									<td>&nbsp;</td>
 									<td><?=gettext("Valid Until")?>:</td>
-									<td><?= $enddate ?></td>
+									<td><?= htmlspecialchars($enddate) ?></td>
 								</tr>
 							</table>
 						</td>
author	jim-p <jimp@pfsense.org>	2015-07-01 11:32:50 -0400
committer	jim-p <jimp@pfsense.org>	2015-07-01 11:32:50 -0400
commit	362ddda19060ca54c18b43c3b758b00dd253937d (patch)
tree	009e10dcb6bdfcced28c696ac565c908dd7d6b6f
parent	97fdd83dcb36383151bb40021ef66d907bc820c0 (diff)
download	pfsense-362ddda19060ca54c18b43c3b758b00dd253937d.zip pfsense-362ddda19060ca54c18b43c3b758b00dd253937d.tar.gz