diff options
author | Renato Botelho <renato.botelho@bluepex.com> | 2010-11-16 09:31:33 -0200 |
---|---|---|
committer | Renato Botelho <renato.botelho@bluepex.com> | 2010-11-16 09:31:33 -0200 |
commit | 39a8090a5a9ee447442ca6da154b0005b7e1bf80 (patch) | |
tree | fd327d4c1ebda352a39afdf83c0a9bf09f7c3b5f /etc/inc/auth.inc | |
parent | 129841508a5659a2c428213e0b231f9132fbfc4a (diff) | |
parent | e6b960ccffd51fd6a2ad190760f029608051f478 (diff) | |
download | pfsense-39a8090a5a9ee447442ca6da154b0005b7e1bf80.zip pfsense-39a8090a5a9ee447442ca6da154b0005b7e1bf80.tar.gz |
Merge remote branch 'mainline/master' into inc
Conflicts:
etc/inc/PEAR.inc
etc/inc/filter.inc
Diffstat (limited to 'etc/inc/auth.inc')
-rw-r--r-- | etc/inc/auth.inc | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 132570f..61a816e 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -86,6 +86,41 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ } } +// If the HTTP_REFERER is something other than ourselves then disallow. +if(function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) { + if($_SERVER['HTTP_REFERER']) { + $found_host = false; + $hostname_me = $config['system']['hostname'] . "." . $config['system']['domain']; + if(stristr($_SERVER['HTTP_REFERER'], $hostname_me)) + $found_host = true; + if(!empty($config['system']['webgui']['althostnames'])) { + $althosts = explode(" ", $config['system']['webgui']['althostnames']); + foreach ($althosts as $ah) { + if(empty($ah)) + continue; + if(stristr($ah, $hostname_me)) { + $found_host = true; + break; + } + } + } + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(empty($ilips)) + continue; + $hostname_me_ip = $config['webgui']['protocol'] . "://" . $ilips; + if(stristr($_SERVER['HTTP_REFERER'],$hostname_me_ip)) { + $found_host = true; + break; + } + } + if($found_host == false) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); + exit; + } + } +} + $groupindex = index_groups(); $userindex = index_users(); @@ -449,6 +484,7 @@ function local_user_set_groups($user, $new_groups = NULL ) { $group['member'][] = $user['uid']; $mod_groups[] = $group; } + unset($group); /* determine which memberships to remove */ foreach ($cur_groups as $groupname) { @@ -463,6 +499,7 @@ function local_user_set_groups($user, $new_groups = NULL ) { $mod_groups[] = $group; } } + unset($group); /* sync all modified groups */ foreach ($mod_groups as $group) |