diff options
author | Erik Fonnesbeck <efonnes@gmail.com> | 2010-11-21 09:32:33 -0700 |
---|---|---|
committer | Erik Fonnesbeck <efonnes@gmail.com> | 2010-11-21 10:23:34 -0700 |
commit | 0f806ecab4d4e6f1dae8af476d14e21003f162b2 (patch) | |
tree | 1403ffe745aea4b782b9ca379ad3ec6b2a710396 /etc/inc/auth.inc | |
parent | 2b8bdfe47ca88c7f71818ca3e25cd236aa41503e (diff) | |
download | pfsense-0f806ecab4d4e6f1dae8af476d14e21003f162b2.zip pfsense-0f806ecab4d4e6f1dae8af476d14e21003f162b2.tar.gz |
Upon restoring a config, replacing whole sections, or editing config.xml in edit.php, prevent possible accidental lockout from DNS rebind and HTTP referrer checks by disabling them until reboot or the next time they pass, whichever comes sooner. Ticket #1027
Diffstat (limited to 'etc/inc/auth.inc')
-rw-r--r-- | etc/inc/auth.inc | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 67ea8c6..9de5044 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -49,6 +49,9 @@ if(!$do_not_include_config_gui_inc) require_once("config.gui.inc"); +// Will be changed to false if security checks fail +$security_passed = true; + /* If this function doesn't exist, we're being called from Captive Portal or another internal subsystem which does not include authgui.inc */ if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { @@ -84,8 +87,11 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ } if($found_host == false) { - display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); - exit; + if(!security_checks_disabled()) { + display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); + exit; + } + $security_passed = false; } } @@ -127,12 +133,20 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui'][' } } if($found_host == false) { - display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); - exit; + if(!security_checks_disabled()) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); + exit; + } + $security_passed = false; } } } +if (function_exists("display_error_form") && $security_passed) + /* Security checks passed, so it should be OK to turn them back on */ + restore_security_checks(); +unset($security_passed); + $groupindex = index_groups(); $userindex = index_users(); |