Fix handling of the 'type' parameter so it is validated and encoded on diag_table.php. Fixes #7652

1 files changed, 8 insertions, 3 deletions

diff --git a/src/usr/local/www/diag_tables.php b/src/usr/local/www/diag_tables.php
index c1d049d..c192880 100644
--- a/src/usr/local/www/diag_tables.php
+++ b/src/usr/local/www/diag_tables.php
@@ -31,11 +31,17 @@ $shortcut_section = "aliases";
 
 require_once("guiconfig.inc");
 
+exec("/sbin/pfctl -sT", $tables);
+
 // Set default table
 $tablename = "sshlockout";
 
-if ($_REQUEST['type']) {
+if ($_REQUEST['type'] && in_array($_REQUEST['type'], $tables)) {
 	$tablename = $_REQUEST['type'];
+} else {
+	/* Invalid 'type' passed, do not take any actions that use the 'type' field. */
+	unset($_REQUEST['type']);
+	$_REQUEST['delete'];
 }
 
 // Gather selected alias metadata.
@@ -112,7 +118,6 @@ if ($_POST['Download'] && ($bogons || $urltable)) {
 }
 
 exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T show", $entries);
-exec("/sbin/pfctl -sT", $tables);
 
 include("head.inc");
 
@@ -229,7 +234,7 @@ events.push(function() {
 			{
 				type: 'post',
 				data: {
-					type: '<?=htmlspecialchars($tablename)?>',
+					type: '<?=htmlspecialchars(addslashes($tablename))?>',
 					delete: $(this).data('entry')
 				},
 				success: function() {