diff options
author | Ermal <eri@pfsense.org> | 2013-03-13 08:14:33 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2013-03-13 08:14:33 +0000 |
commit | d06be1a71714fdaf8c309c4ff7a129d070c79949 (patch) | |
tree | 21cf3ade43f31a3472460044fcf00b4ac13b3b38 /etc | |
parent | efc0e29abc068b41f52a2d5d6ac89cb6c4791662 (diff) | |
download | pfsense-d06be1a71714fdaf8c309c4ff7a129d070c79949.zip pfsense-d06be1a71714fdaf8c309c4ff7a129d070c79949.tar.gz |
Do more strick checks for avoiding http://forum.pfsense.org/index.php/topic,59847.0.html
Diffstat (limited to 'etc')
-rw-r--r-- | etc/inc/filter.inc | 28 |
1 files changed, 20 insertions, 8 deletions
diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index ad0ec33..8eef18e 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -1911,14 +1911,14 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { if($rule['ipprotocol'] == "inet6") { if(preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) { $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ipv6']; - if(!is_ipaddr($opt_ip)) + if(!is_ipaddrv6($opt_ip)) return ""; $src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['snv6']; /* check for opt$NUMip here */ } else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) { $src = $FilterIflist["opt{$matches[1]}"]['ipv6']; - if(!is_ipaddr($src)) + if(!is_ipaddrv6($src)) return ""; } if(isset($rule[$target]['not'])) @@ -1926,14 +1926,14 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { } else { if(preg_match("/opt([0-9]*)$/", $rule[$target]['network'], $optmatch)) { $opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; - if(!is_ipaddr($opt_ip)) + if(!is_ipaddrv4($opt_ip)) return ""; $src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['sn']; /* check for opt$NUMip here */ } else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) { $src = $FilterIflist["opt{$matches[1]}"]['ip']; - if(!is_ipaddr($src)) + if(!is_ipaddrv4($src)) return ""; } if(isset($rule[$target]['not'])) @@ -1944,17 +1944,25 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { switch ($rule[$target]['network']) { case 'wan': $wansa = $FilterIflist['wan']['sav6']; + if (!is_ipaddrv6($wansa)) + return ""; $wansn = $FilterIflist['wan']['snv6']; $src = "{$wansa}/{$wansn}"; break; case 'wanip': $src = $FilterIflist["wan"]['ipv6']; + if (!is_ipaddrv6($src)) + return ""; break; case 'lanip': $src = $FilterIflist["lan"]['ipv6']; + if (!is_ipaddrv6($src)) + return ""; break; case 'lan': $lansa = $FilterIflist['lan']['sav6']; + if (!is_ipaddrv6($lansa)) + return ""; $lansn = $FilterIflist['lan']['snv6']; $src = "{$lansa}/{$lansn}"; break; @@ -1976,6 +1984,8 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { switch ($rule[$target]['network']) { case 'wan': $wansa = $FilterIflist['wan']['sa']; + if (!is_ipaddrv4($wansa)) + return ""; $wansn = $FilterIflist['wan']['sn']; $src = "{$wansa}/{$wansn}"; break; @@ -1987,6 +1997,8 @@ function filter_generate_address(& $rule, $target = "source", $isnat = false) { break; case 'lan': $lansa = $FilterIflist['lan']['sa']; + if (!is_ipaddrv4($lansa)) + return ""; $lansn = $FilterIflist['lan']['sn']; $src = "{$lansa}/{$lansn}"; break; @@ -2190,8 +2202,8 @@ function filter_generate_user_rule($rule) { update_filter_reload_status(sprintf(gettext("Creating rule %s"), $rule['descr'])); /* source address */ - $src = filter_generate_address($rule, "source"); - if(empty($src) || ($src == "/")) { + $src = trim(filter_generate_address($rule, "source")); + if (empty($src) || ($src == "/")) { return "# at the break!"; } $aline['src'] = " from $src "; @@ -2201,8 +2213,8 @@ function filter_generate_user_rule($rule) { $aline['os'] = " os {$rule['os']} "; /* destination address */ - $dst = filter_generate_address($rule, "destination"); - if(empty($dst) || ($dst == "/")) { + $dst = trim(filter_generate_address($rule, "destination")); + if (empty($dst) || ($dst == "/")) { return "# returning at dst $dst == \"/\""; } $aline['dst'] = "to $dst "; |