Parse URL Table alias downloads with parse_aliases_file to ensure only valid contents. Ticket #5848

1 files changed, 9 insertions, 5 deletions

diff --git a/src/etc/inc/pfsense-utils.inc b/src/etc/inc/pfsense-utils.inc
index 87039f6..22ccf86 100644
--- a/src/etc/inc/pfsense-utils.inc
+++ b/src/etc/inc/pfsense-utils.inc
@@ -2153,6 +2153,7 @@ function process_alias_urltable($name, $url, $freq, $forceupdate=false) {
 
 	$urltable_prefix = "/var/db/aliastables/";
 	$urltable_filename = $urltable_prefix . $name . ".txt";
+	$tmp_urltable_filename = $urltable_filename . ".tmp";
 
 	// Make the aliases directory if it doesn't exist
 	if (!file_exists($urltable_prefix)) {
@@ -2169,16 +2170,19 @@ function process_alias_urltable($name, $url, $freq, $forceupdate=false) {
 
 		// Try to fetch the URL supplied
 		conf_mount_rw();
-		unlink_if_exists($urltable_filename . ".tmp");
+		unlink_if_exists($tmp_urltable_filename);
 		$verify_ssl = isset($config['system']['checkaliasesurlcert']);
-		if (download_file($url, $urltable_filename . ".tmp", $verify_ssl)) {
-			mwexec("/usr/bin/sed -E 's/\;.*//g; /^[[:space:]]*($|#)/d' ". escapeshellarg($urltable_filename . ".tmp") . " > " . escapeshellarg($urltable_filename));
+		if (download_file($url, $tmp_urltable_filename, $verify_ssl)) {
+			mwexec("/usr/bin/sed -i \"\" -E 's/\;.*//g; /^[[:space:]]*($|#)/d' " . escapeshellarg($tmp_urltable_filename));
 			if (alias_get_type($name) == "urltable_ports") {
-				$ports = explode("\n", str_replace("\r", "", file_get_contents($urltable_filename)));
+				$ports = parse_aliases_file($tmp_urltable_filename, "url_ports", "-1");
 				$ports = group_ports($ports);
 				file_put_contents($urltable_filename, implode("\n", $ports));
+			} else {
+				$urltable = parse_aliases_file($tmp_urltable_filename, "url", "-1");
+				file_put_contents($urltable_filename, implode("\n", $urltable));
 			}
-			unlink_if_exists($urltable_filename . ".tmp");
+			unlink_if_exists($tmp_urltable_filename);
 		} else {
 			touch($urltable_filename);
 			conf_mount_ro();