Data sanitation - check IP protocol in form data

Code doesn't seem to check that IP protocol is valid (IPv4/6/4+6) or report via $input_errors[] if not. Simple fix. Only spotted recently. Should be fixed whatever else?
author: stilez <stilez@users.noreply.github.com> 2016-12-27 02:11:20 +0000
committer: GitHub <noreply@github.com> 2016-12-27 02:11:20 +0000
commit: 202e23a81613c5810679e9b119ad4cc53977dbea (patch)
tree: b12660848aa54557c728e2684b0ca0c9dd5bb815 /src/usr/local/www/firewall_rules_edit.php
parent: 8afd8c0409a9ed246a244e7a1dbdcb2ad627434b (diff)
download: pfsense-202e23a81613c5810679e9b119ad4cc53977dbea.zip
pfsense-202e23a81613c5810679e9b119ad4cc53977dbea.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php
index 79b3fb0..8eac894 100644
--- a/src/usr/local/www/firewall_rules_edit.php
+++ b/src/usr/local/www/firewall_rules_edit.php
@@ -317,6 +317,10 @@ if ($_POST) {
 
 	unset($input_errors);
 
+	if (!array_key_exists($_POST['ipprotocol'], $icmplookup)) {
+		$input_errors[] = gettext("The IP protocol is not recognized."); 
+	}
+
 	if (isset($a_filter[$id]['associated-rule-id'])) {
 		$_POST['proto'] = $pconfig['proto'];
 		if ($pconfig['proto'] == "icmp") {
author	stilez <stilez@users.noreply.github.com>	2016-12-27 02:11:20 +0000
committer	GitHub <noreply@github.com>	2016-12-27 02:11:20 +0000
commit	202e23a81613c5810679e9b119ad4cc53977dbea (patch)
tree	b12660848aa54557c728e2684b0ca0c9dd5bb815 /src/usr/local/www/firewall_rules_edit.php
parent	8afd8c0409a9ed246a244e7a1dbdcb2ad627434b (diff)
download	pfsense-202e23a81613c5810679e9b119ad4cc53977dbea.zip pfsense-202e23a81613c5810679e9b119ad4cc53977dbea.tar.gz