diff options
author | Erik Fonnesbeck <efonnes@gmail.com> | 2010-11-21 09:32:33 -0700 |
---|---|---|
committer | Erik Fonnesbeck <efonnes@gmail.com> | 2010-11-21 10:23:34 -0700 |
commit | 0f806ecab4d4e6f1dae8af476d14e21003f162b2 (patch) | |
tree | 1403ffe745aea4b782b9ca379ad3ec6b2a710396 /etc/inc/config.lib.inc | |
parent | 2b8bdfe47ca88c7f71818ca3e25cd236aa41503e (diff) | |
download | pfsense-0f806ecab4d4e6f1dae8af476d14e21003f162b2.zip pfsense-0f806ecab4d4e6f1dae8af476d14e21003f162b2.tar.gz |
Upon restoring a config, replacing whole sections, or editing config.xml in edit.php, prevent possible accidental lockout from DNS rebind and HTTP referrer checks by disabling them until reboot or the next time they pass, whichever comes sooner. Ticket #1027
Diffstat (limited to 'etc/inc/config.lib.inc')
-rw-r--r-- | etc/inc/config.lib.inc | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 4feef0f..f8c408d 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -210,6 +210,7 @@ function restore_backup($file) { conf_mount_rw(); unlink_if_exists("{$g['tmp_path']}/config.cache"); copy("$file","/cf/conf/config.xml"); + disable_security_checks(); log_error("{$g['product_name']} is restoring the configuration $file"); file_notice("config.xml", "{$g['product_name']} is restoring the configuration $file", "pfSenseConfigurator", ""); conf_mount_ro(); @@ -569,6 +570,8 @@ function reset_factory_defaults($lock = false) { /* copy default configuration */ copy("{$g['conf_default_path']}/config.xml", "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* call the wizard */ touch("/conf/trigger_initial_wizard"); if (!$lock) @@ -593,6 +596,8 @@ function config_restore($conffile) { unlink_if_exists("{$g['tmp_path']}/config.cache"); copy($conffile, "{$g['cf_conf_path']}/config.xml"); + disable_security_checks(); + unlock($lockkey); $config = parse_config(true); @@ -623,6 +628,8 @@ function config_install($conffile) { copy($conffile, "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* unlink cache file if it exists */ if(file_exists("{$g['tmp_path']}/config.cache")) unlink("{$g['tmp_path']}/config.cache"); @@ -633,6 +640,31 @@ function config_install($conffile) { return 0; } +/* + * Disable security checks for DNS rebind and HTTP referrer until next time + * they pass (or reboot), to aid in preventing accidental lockout when + * restoring settings like hostname, domain, IP addresses, and settings + * related to the DNS rebind and HTTP referrer checks. + * Intended for use when restoring a configuration or directly + * modifying config.xml without an unconditional reboot. + */ +function disable_security_checks() { + global $g; + touch("{$g['tmp_path']}/disable_security_checks"); +} + +/* Restores security checks. Should be called after all succeed. */ +function restore_security_checks() { + global $g; + unlink_if_exists("{$g['tmp_path']}/disable_security_checks"); +} + +/* Returns status of security check temporary disable. */ +function security_checks_disabled() { + global $g; + return file_exists("{$g['tmp_path']}/disable_security_checks"); +} + function config_validate($conffile) { global $g, $xmlerr; |