Revisions to GET/POST conversion limiting POSTs to save, apply, and delete functions - Diagnostics

7 files changed, 38 insertions, 43 deletions

diff --git a/src/usr/local/www/diag_arp.php b/src/usr/local/www/diag_arp.php
index 4108192..75afeea 100644
--- a/src/usr/local/www/diag_arp.php
+++ b/src/usr/local/www/diag_arp.php
@@ -36,10 +36,10 @@
 require_once("guiconfig.inc");
 
 // delete arp entry
-if (isset($_GET['deleteentry'])) {
-	$ip = $_GET['deleteentry'];
+if (isset($_POST['deleteentry'])) {
+	$ip = $_POST['deleteentry'];
 	if (is_ipaddrv4($ip)) {
-		$ret = mwexec("arp -d " . $_GET['deleteentry'], true);
+		$ret = mwexec("arp -d " . $_POST['deleteentry'], true);
 	} else {
 		$ret = 1;
 	}
@@ -53,7 +53,7 @@ if (isset($_GET['deleteentry'])) {
 }
 
 function leasecmp($a, $b) {
-	return strcmp($a[$_GET['order']], $b[$_GET['order']]);
+	return strcmp($a[$_REQUEST['order']], $b[$_REQUEST['order']]);
 }
 
 function adjust_gmt($dt) {
@@ -360,7 +360,7 @@ $mac_man = load_mac_manufacturer_table();
 				<td><?=ucfirst($entry['status'])?></td>
 				<td><?=$entry['linktype']?></td>
 				<td>
-					<a class="fa fa-trash" title="<?=gettext('Delete arp cache entry')?>"	href="diag_arp.php?deleteentry=<?=$entry['ip']?>"></a>
+					<a class="fa fa-trash" title="<?=gettext('Delete arp cache entry')?>"	href="diag_arp.php?deleteentry=<?=$entry['ip']?>" usepost></a>
 				</td>
 			</tr>
 		<?php endforeach?>
diff --git a/src/usr/local/www/diag_command.php b/src/usr/local/www/diag_command.php
index dc6037c..84c57e1 100755
--- a/src/usr/local/www/diag_command.php
+++ b/src/usr/local/www/diag_command.php
@@ -61,9 +61,6 @@ if ($_POST['submit'] == "DOWNLOAD" && file_exists($_POST['dlPath'])) {
 	$ulmsg = sprintf(gettext('Uploaded file to %s.'), $g["tmp_path"] . "/" . htmlentities($_FILES['ulfile']['name']));
 }
 
-if ($_POST) {
-}
-
 // Function: is Blank
 // Returns true or false depending on blankness of argument.
 
@@ -239,7 +236,7 @@ if ($_POST['submit'] == "EXEC" && !isBlank($_POST['txtCommand'])):?>
 		<div class="panel-heading"><h2 class="panel-title"><?=gettext('Download File')?></h2></div>
 		<div class="panel-body">
 			<div class="content">
-				<input name="dlPath" type="text" id="dlPath" placeholder="File to download" class="col-sm-4" value="<?=htmlspecialchars($_GET['dlPath']);?>"/>
+				<input name="dlPath" type="text" id="dlPath" placeholder="File to download" class="col-sm-4" value="<?=htmlspecialchars($_REQUEST['dlPath']);?>"/>
 				<br /><br />
 				<button name="submit" type="submit" class="btn btn-primary btn-sm" id="download" value="DOWNLOAD">
 					<i class="fa fa-download icon-embed-btn"></i>
diff --git a/src/usr/local/www/diag_confbak.php b/src/usr/local/www/diag_confbak.php
index b8175fb..39d2ed3 100644
--- a/src/usr/local/www/diag_confbak.php
+++ b/src/usr/local/www/diag_confbak.php
@@ -37,31 +37,28 @@ if (isset($_POST['backupcount'])) {
 		unset($config['system']['backupcount']);
 		$changedescr = gettext("(platform default)");
 	}
+
 	write_config(sprintf(gettext("Changed backup revision count to %s"), $changedescr));
-} elseif ($_GET) {
-	if (!isset($_GET['newver']) && !isset($_GET['rmver']) && !isset($_GET['getcfg']) && !isset($_GET['diff'])) {
-		header("Location: diag_confbak.php");
-		return;
-	}
+}
 
-	$confvers = unserialize(file_get_contents($g['cf_conf_path'] . '/backup/backup.cache'));
+$confvers = unserialize(file_get_contents($g['cf_conf_path'] . '/backup/backup.cache'));
 
-	if ($_GET['newver'] != "") {
-		if (config_restore($g['conf_path'] . '/backup/config-' . $_GET['newver'] . '.xml') == 0) {
-			$savemsg = sprintf(gettext('Successfully reverted to timestamp %1$s with description "%2$s".'), date(gettext("n/j/y H:i:s"), $_GET['newver']), htmlspecialchars($confvers[$_GET['newver']]['description']));
-		} else {
-			$savemsg = gettext("Unable to revert to the selected configuration.");
-		}
-	}
-	if ($_GET['rmver'] != "") {
-		unlink_if_exists($g['conf_path'] . '/backup/config-' . $_GET['rmver'] . '.xml');
-		$savemsg = sprintf(gettext('Deleted backup with timestamp %1$s and description "%2$s".'), date(gettext("n/j/y H:i:s"), $_GET['rmver']), htmlspecialchars($confvers[$_GET['rmver']]['description']));
+if ($_POST['newver'] != "") {
+	if (config_restore($g['conf_path'] . '/backup/config-' . $_POST['newver'] . '.xml') == 0) {
+		$savemsg = sprintf(gettext('Successfully reverted to timestamp %1$s with description "%2$s".'), date(gettext("n/j/y H:i:s"), $_POST['newver']), htmlspecialchars($confvers[$_POST['newver']]['description']));
+	} else {
+		$savemsg = gettext("Unable to revert to the selected configuration.");
 	}
 }
 
-if ($_GET['getcfg'] != "") {
-	$_GET['getcfg'] = basename($_GET['getcfg']);
-	$file = $g['conf_path'] . '/backup/config-' . $_GET['getcfg'] . '.xml';
+if ($_POST['rmver'] != "") {
+	unlink_if_exists($g['conf_path'] . '/backup/config-' . $_POST['rmver'] . '.xml');
+	$savemsg = sprintf(gettext('Deleted backup with timestamp %1$s and description "%2$s".'), date(gettext("n/j/y H:i:s"), $_POST['rmver']), htmlspecialchars($confvers[$_POST['rmver']]['description']));
+}
+
+if ($_REQUEST['getcfg'] != "") {
+	$_REQUEST['getcfg'] = basename($_REQUEST['getcfg']);
+	$file = $g['conf_path'] . '/backup/config-' . $_REQUEST['getcfg'] . '.xml';
 
 	$exp_name = urlencode("config-{$config['system']['hostname']}.{$config['system']['domain']}-{$_GET['getcfg']}.xml");
 	$exp_data = file_get_contents($file);
@@ -74,18 +71,18 @@ if ($_GET['getcfg'] != "") {
 	exit;
 }
 
-if (($_GET['diff'] == 'Diff') && isset($_GET['oldtime']) && isset($_GET['newtime']) &&
-    (is_numeric($_GET['oldtime'])) &&
-    (is_numeric($_GET['newtime']) || ($_GET['newtime'] == 'current'))) {
+if (($_REQUEST['diff'] == 'Diff') && isset($_REQUEST['oldtime']) && isset($_REQUEST['newtime']) &&
+    (is_numeric($_REQUEST['oldtime'])) &&
+    (is_numeric($_REQUEST['newtime']) || ($_REQUEST['newtime'] == 'current'))) {
 	$diff = "";
-	$oldfile = $g['conf_path'] . '/backup/config-' . $_GET['oldtime'] . '.xml';
-	$oldtime = $_GET['oldtime'];
-	if ($_GET['newtime'] == 'current') {
+	$oldfile = $g['conf_path'] . '/backup/config-' . $_REQUEST['oldtime'] . '.xml';
+	$oldtime = $_REQUEST['oldtime'];
+	if ($_REQUEST['newtime'] == 'current') {
 		$newfile = $g['conf_path'] . '/config.xml';
 		$newtime = $config['revision']['time'];
 	} else {
-		$newfile = $g['conf_path'] . '/backup/config-' . $_GET['newtime'] . '.xml';
-		$newtime = $_GET['newtime'];
+		$newfile = $g['conf_path'] . '/backup/config-' . $_REQUEST['newtime'] . '.xml';
+		$newtime = $_REQUEST['newtime'];
 	}
 	if (file_exists($oldfile) && file_exists($newfile)) {
 		exec("/usr/bin/diff -u " . escapeshellarg($oldfile) . " " . escapeshellarg($newfile), $diff);
@@ -257,9 +254,9 @@ if (is_array($confvers)):
 					<td><?= format_bytes($version['filesize']) ?></td>
 					<td><?= htmlspecialchars($version['description']) ?></td>
 					<td>
-						<a class="fa fa-undo"		title="<?=gettext('Revert config')?>"	href="diag_confbak.php?newver=<?=$version['time']?>"	onclick="return confirm('<?=gettext("Confirmation Required to replace the current configuration with this backup.")?>')"></a>
+						<a class="fa fa-undo"		title="<?=gettext('Revert config')?>"	href="diag_confbak.php?newver=<?=$version['time']?>" onclick="return confirm('<?=gettext("Confirmation Required to replace the current configuration with this backup.")?>')" usepost></a>
 						<a class="fa fa-download"	title="<?=gettext('Download config')?>"	href="diag_confbak.php?getcfg=<?=$version['time']?>"></a>
-						<a class="fa fa-trash"		title="<?=gettext('Delete config')?>"	href="diag_confbak.php?rmver=<?=$version['time']?>"></a>
+						<a class="fa fa-trash"		title="<?=gettext('Delete config')?>"	href="diag_confbak.php?rmver=<?=$version['time']?>" usepost></a>
 					</td>
 				</tr>
 <?php
diff --git a/src/usr/local/www/diag_dump_states_sources.php b/src/usr/local/www/diag_dump_states_sources.php
index e48b7e3..b5c7b39 100644
--- a/src/usr/local/www/diag_dump_states_sources.php
+++ b/src/usr/local/www/diag_dump_states_sources.php
@@ -44,7 +44,7 @@ if ($_POST['action']) {
 
 /* get our states */
 if ($_POST['filter']) {
-	exec("/sbin/pfctl -s Sources | grep " . escapeshellarg(htmlspecialchars($_GET['filter'])), $sources);
+	exec("/sbin/pfctl -s Sources | grep " . escapeshellarg(htmlspecialchars($_POST['filter'])), $sources);
 } else {
 	exec("/sbin/pfctl -s Sources", $sources);
 }
diff --git a/src/usr/local/www/diag_edit.php b/src/usr/local/www/diag_edit.php
index 24dedd7..1770c24 100644
--- a/src/usr/local/www/diag_edit.php
+++ b/src/usr/local/www/diag_edit.php
@@ -408,9 +408,9 @@ var Base64 = {
 
 };
 
-	<?php if ($_GET['action'] == "load"): ?>
+	<?php if ($_POST['action'] == "load"): ?>
 		events.push(function() {
-			$("#fbTarget").val("<?=htmlspecialchars($_GET['path'])?>");
+			$("#fbTarget").val("<?=htmlspecialchars($_POST['path'])?>");
 			loadFile();
 		});
 	<?php endif; ?>
diff --git a/src/usr/local/www/diag_smart.php b/src/usr/local/www/diag_smart.php
index 97f54fa..49674c2 100644
--- a/src/usr/local/www/diag_smart.php
+++ b/src/usr/local/www/diag_smart.php
@@ -31,7 +31,7 @@ require_once("guiconfig.inc");
 
 // What page, aka. action is being wanted
 // If they "get" a page but don't pass all arguments, smartctl will throw an error
-$action = (isset($_POST['action']) ? $_POST['action'] : $_GET['action']);
+$action = $_POST['action'];
 
 $pgtitle = array(gettext("Diagnostics"), gettext("S.M.A.R.T. Status"));
 $pglinks = array("", "@self", "@self");
@@ -41,6 +41,7 @@ if ($action != 'config') {
 } else {
 	$pgtitle[] = gettext('Config');
 }
+
 $smartctl = "/usr/local/sbin/smartctl";
 
 $valid_test_types = array("offline", "short", "long", "conveyance");
diff --git a/src/usr/local/www/diag_sockets.php b/src/usr/local/www/diag_sockets.php
index ccc3d6f..8132832 100644
--- a/src/usr/local/www/diag_sockets.php
+++ b/src/usr/local/www/diag_sockets.php
@@ -32,7 +32,7 @@ $pgtitle = array(gettext("Diagnostics"), gettext("Sockets"));
 
 include('head.inc');
 
-$showAll = isset($_GET['showAll']);
+$showAll = isset($_REQUEST['showAll']);
 $showAllText = $showAll ? gettext("Show only listening sockets") : gettext("Show all socket connections");
 $showAllOption = $showAll ? "" : "?showAll";