diff options
| author | Erik Fonnesbeck <efonnes@gmail.com> | 2010-11-21 09:32:33 -0700 |
|---|---|---|
| committer | Erik Fonnesbeck <efonnes@gmail.com> | 2010-11-21 10:23:34 -0700 |
| commit | 0f806ecab4d4e6f1dae8af476d14e21003f162b2 (patch) | |
| tree | 1403ffe745aea4b782b9ca379ad3ec6b2a710396 /etc | |
| parent | 2b8bdfe47ca88c7f71818ca3e25cd236aa41503e (diff) | |
| download | pfsense-0f806ecab4d4e6f1dae8af476d14e21003f162b2.zip pfsense-0f806ecab4d4e6f1dae8af476d14e21003f162b2.tar.gz | |
Upon restoring a config, replacing whole sections, or editing config.xml in edit.php, prevent possible accidental lockout from DNS rebind and HTTP referrer checks by disabling them until reboot or the next time they pass, whichever comes sooner. Ticket #1027
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/auth.inc | 22 | ||||
| -rw-r--r-- | etc/inc/config.lib.inc | 32 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 2 |
3 files changed, 52 insertions, 4 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 67ea8c6..9de5044 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -49,6 +49,9 @@ if(!$do_not_include_config_gui_inc) require_once("config.gui.inc"); +// Will be changed to false if security checks fail +$security_passed = true; + /* If this function doesn't exist, we're being called from Captive Portal or another internal subsystem which does not include authgui.inc */ if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { @@ -84,8 +87,11 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ } if($found_host == false) { - display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); - exit; + if(!security_checks_disabled()) { + display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); + exit; + } + $security_passed = false; } } @@ -127,12 +133,20 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui'][' } } if($found_host == false) { - display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); - exit; + if(!security_checks_disabled()) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); + exit; + } + $security_passed = false; } } } +if (function_exists("display_error_form") && $security_passed) + /* Security checks passed, so it should be OK to turn them back on */ + restore_security_checks(); +unset($security_passed); + $groupindex = index_groups(); $userindex = index_users(); diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 4feef0f..f8c408d 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -210,6 +210,7 @@ function restore_backup($file) { conf_mount_rw(); unlink_if_exists("{$g['tmp_path']}/config.cache"); copy("$file","/cf/conf/config.xml"); + disable_security_checks(); log_error("{$g['product_name']} is restoring the configuration $file"); file_notice("config.xml", "{$g['product_name']} is restoring the configuration $file", "pfSenseConfigurator", ""); conf_mount_ro(); @@ -569,6 +570,8 @@ function reset_factory_defaults($lock = false) { /* copy default configuration */ copy("{$g['conf_default_path']}/config.xml", "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* call the wizard */ touch("/conf/trigger_initial_wizard"); if (!$lock) @@ -593,6 +596,8 @@ function config_restore($conffile) { unlink_if_exists("{$g['tmp_path']}/config.cache"); copy($conffile, "{$g['cf_conf_path']}/config.xml"); + disable_security_checks(); + unlock($lockkey); $config = parse_config(true); @@ -623,6 +628,8 @@ function config_install($conffile) { copy($conffile, "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* unlink cache file if it exists */ if(file_exists("{$g['tmp_path']}/config.cache")) unlink("{$g['tmp_path']}/config.cache"); @@ -633,6 +640,31 @@ function config_install($conffile) { return 0; } +/* + * Disable security checks for DNS rebind and HTTP referrer until next time + * they pass (or reboot), to aid in preventing accidental lockout when + * restoring settings like hostname, domain, IP addresses, and settings + * related to the DNS rebind and HTTP referrer checks. + * Intended for use when restoring a configuration or directly + * modifying config.xml without an unconditional reboot. + */ +function disable_security_checks() { + global $g; + touch("{$g['tmp_path']}/disable_security_checks"); +} + +/* Restores security checks. Should be called after all succeed. */ +function restore_security_checks() { + global $g; + unlink_if_exists("{$g['tmp_path']}/disable_security_checks"); +} + +/* Returns status of security check temporary disable. */ +function security_checks_disabled() { + global $g; + return file_exists("{$g['tmp_path']}/disable_security_checks"); +} + function config_validate($conffile) { global $g, $xmlerr; diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 5e1d721..7ffbf24 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -550,6 +550,7 @@ function restore_config_section($section, $new_contents) { if(file_exists("{$g['tmp_path']}/config.cache")) unlink("{$g['tmp_path']}/config.cache"); write_config("Restored {$section} of config file (maybe from CARP partner)"); + disable_security_checks(); conf_mount_ro(); return; } @@ -571,6 +572,7 @@ function merge_config_section($section, $new_contents) { $config[$section] = $section_xml; unlink($fname); write_config("Restored {$section} of config file (maybe from CARP partner)"); + disable_security_checks(); conf_mount_ro(); return; } |
