Fix up validation and encoding on Captive Portal status pages. Fixes #7019

5 files changed, 69 insertions, 46 deletions

diff --git a/src/usr/local/www/status_captiveportal.php b/src/usr/local/www/status_captiveportal.php
index bf9b81b..5c88bc2 100644
--- a/src/usr/local/www/status_captiveportal.php
+++ b/src/usr/local/www/status_captiveportal.php
@@ -71,10 +71,15 @@ function clientcmp($a, $b) {
 	return strcmp($a[$order], $b[$order]);
 }
 
+$cp_status_orders = array('ip', 'mac', 'user', 'lastact', 'start');
 if (!empty($cpzone)) {
 	$cpdb = captiveportal_read_db();
 
 	if ($_GET['order']) {
+		/* If an invalid order was submitted, clear it. */
+		if (!in_array($_GET['order'], $cp_status_orders)) {
+			unset($_GET['order']);
+		}
 		if ($_GET['order'] == "ip") {
 			$order = 2;
 		} else if ($_GET['order'] == "mac") {
@@ -92,7 +97,7 @@ if (!empty($cpzone)) {
 $pgtitle = array(gettext("Status"), gettext("Captive Portal"));
 
 if (!empty($cpzone)) {
-	$pgtitle[] = $a_cp[$cpzone]['zone'];
+	$pgtitle[] = htmlspecialchars($a_cp[$cpzone]['zone']);
 
 	if (isset($config['voucher'][$cpzone]['enable'])) {
 		$pgtitle[] = gettext("Active Users");
@@ -175,7 +180,7 @@ if (!empty($cpzone)): ?>
 	foreach ($cpdb as $cpent): ?>
 			<tr>
 				<td>
-					<?=$cpent[2]?>
+					<?= htmlspecialchars($cpent[2]); ?>
 				</td>
 				<td>
 <?php
@@ -184,7 +189,7 @@ if (!empty($cpzone)): ?>
 			$mac_hi = strtoupper($mac[0] . $mac[1] . $mac[3] . $mac[4] . $mac[6] . $mac[7]);
 			print htmlentities($mac);
 			if (isset($mac_man[$mac_hi])) {
-				print "<br /><font size=\"-2\"><i>{$mac_man[$mac_hi]}</i></font>";
+				print "<br /><font size=\"-2\"><i>" . htmlspecialchars($mac_man[$mac_hi]) . "</i></font>";
 			}
 		}
 ?>	&nbsp;
@@ -215,7 +220,7 @@ if (!empty($cpzone)): ?>
 		endif;
 ?>
 				<td>
-					<a href="?zone=<?=htmlspecialchars($cpzone)?>&amp;order=<?=$_GET['order']?>&amp;showact=<?=htmlspecialchars($_GET['showact'])?>&amp;act=del&amp;id=<?=$cpent[5]?>"><i class="fa fa-trash" title="<?=gettext("Disconnect this User")?>"></i></a>
+					<a href="?zone=<?=htmlspecialchars($cpzone)?>&amp;order=<?=htmlspecialchars($_GET['order'])?>&amp;showact=<?=htmlspecialchars($_GET['showact'])?>&amp;act=del&amp;id=<?=htmlspecialchars($cpent[5])?>"><i class="fa fa-trash" title="<?=gettext("Disconnect this User")?>"></i></a>
 				</td>
 			</tr>
 <?php
diff --git a/src/usr/local/www/status_captiveportal_expire.php b/src/usr/local/www/status_captiveportal_expire.php
index d1e1292..d93c4d6 100644
--- a/src/usr/local/www/status_captiveportal_expire.php
+++ b/src/usr/local/www/status_captiveportal_expire.php
@@ -40,17 +40,21 @@ if (isset($_POST['zone'])) {
 }
 $cpzone = strtolower($cpzone);
 
-if (empty($cpzone)) {
-	header("Location: services_captiveportal_zones.php");
-	exit;
-}
-
 if (!is_array($config['captiveportal'])) {
 	$config['captiveportal'] = array();
 }
 $a_cp =& $config['captiveportal'];
+/* If the zone does not exist, do not display the invalid zone */
+if (!array_key_exists($cpzone, $a_cp)) {
+	$cpzone = "";
+}
+
+if (empty($cpzone)) {
+	header("Location: services_captiveportal_zones.php");
+	exit;
+}
 
-$pgtitle = array(gettext("Status"), gettext("Captive Portal"), $a_cp[$cpzone]['zone'], gettext("Expire Vouchers"));
+$pgtitle = array(gettext("Status"), gettext("Captive Portal"), htmlspecialchars($a_cp[$cpzone]['zone']), gettext("Expire Vouchers"));
 
 include("head.inc");
 
@@ -65,11 +69,11 @@ if ($_POST) {
 }
 
 $tab_array = array();
-$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Active Vouchers"), false, "status_captiveportal_vouchers.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Voucher Rolls"), false, "status_captiveportal_voucher_rolls.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Test Vouchers"), false, "status_captiveportal_test.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Expire Vouchers"), true, "status_captiveportal_expire.php?zone={$cpzone}");
+$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Active Vouchers"), false, "status_captiveportal_vouchers.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Voucher Rolls"), false, "status_captiveportal_voucher_rolls.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Test Vouchers"), false, "status_captiveportal_test.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Expire Vouchers"), true, "status_captiveportal_expire.php?zone=" . htmlspecialchars($cpzone));
 display_top_tabs($tab_array);
 
 $form = new Form(false);
diff --git a/src/usr/local/www/status_captiveportal_test.php b/src/usr/local/www/status_captiveportal_test.php
index 13363af..5e185b5 100644
--- a/src/usr/local/www/status_captiveportal_test.php
+++ b/src/usr/local/www/status_captiveportal_test.php
@@ -40,17 +40,21 @@ if (isset($_POST['zone'])) {
 }
 $cpzone = strtolower($cpzone);
 
-if (empty($cpzone)) {
-	header("Location: services_captiveportal_zones.php");
-	exit;
-}
-
 if (!is_array($config['captiveportal'])) {
 	$config['captiveportal'] = array();
 }
 $a_cp =& $config['captiveportal'];
+/* If the zone does not exist, do not display the invalid zone */
+if (!array_key_exists($cpzone, $a_cp)) {
+	$cpzone = "";
+}
+
+if (empty($cpzone)) {
+	header("Location: services_captiveportal_zones.php");
+	exit;
+}
 
-$pgtitle = array(gettext("Status"), gettext("Captive Portal"), $a_cp[$cpzone]['zone'], gettext("Test Vouchers"));
+$pgtitle = array(gettext("Status"), gettext("Captive Portal"), htmlspecialchars($a_cp[$cpzone]['zone']), gettext("Test Vouchers"));
 $shortcut_section = "captiveportal-vouchers";
 
 include("head.inc");
@@ -73,11 +77,11 @@ if ($_POST) {
 }
 
 $tab_array = array();
-$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Active Vouchers"), false, "status_captiveportal_vouchers.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Voucher Rolls"), false, "status_captiveportal_voucher_rolls.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Test Vouchers"), true, "status_captiveportal_test.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Expire Vouchers"), false, "status_captiveportal_expire.php?zone={$cpzone}");
+$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Active Vouchers"), false, "status_captiveportal_vouchers.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Voucher Rolls"), false, "status_captiveportal_voucher_rolls.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Test Vouchers"), true, "status_captiveportal_test.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Expire Vouchers"), false, "status_captiveportal_expire.php?zone=" . htmlspecialchars($cpzone));
 display_top_tabs($tab_array);
 
 $form = new Form(false);
diff --git a/src/usr/local/www/status_captiveportal_voucher_rolls.php b/src/usr/local/www/status_captiveportal_voucher_rolls.php
index 4f3e7a8..2294fdb 100644
--- a/src/usr/local/www/status_captiveportal_voucher_rolls.php
+++ b/src/usr/local/www/status_captiveportal_voucher_rolls.php
@@ -40,16 +40,21 @@ if (isset($_POST['zone'])) {
 }
 $cpzone = strtolower($cpzone);
 
+if (!is_array($config['captiveportal'])) {
+	$config['captiveportal'] = array();
+}
+$a_cp =& $config['captiveportal'];
+/* If the zone does not exist, do not display the invalid zone */
+if (!array_key_exists($cpzone, $a_cp)) {
+	$cpzone = "";
+}
+
 if (empty($cpzone)) {
 	header("Location: services_captiveportal_zones.php");
 	exit;
 }
 
-if (!is_array($config['captiveportal'])) {
-	$config['captiveportal'] = array();
-}
-$a_cp =& $config['captiveportal'];
-$pgtitle = array(gettext("Status"), gettext("Captive Portal"), $a_cp[$cpzone]['zone'], gettext("Voucher Rolls"));
+$pgtitle = array(gettext("Status"), gettext("Captive Portal"), htmlspecialchars($a_cp[$cpzone]['zone']), gettext("Voucher Rolls"));
 $shortcut_section = "captiveportal-vouchers";
 
 if (!is_array($config['voucher'][$cpzone]['roll'])) {
@@ -61,11 +66,11 @@ $a_roll = &$config['voucher'][$cpzone]['roll'];
 include("head.inc");
 
 $tab_array = array();
-$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Active Vouchers"), false, "status_captiveportal_vouchers.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Voucher Rolls"), true, "status_captiveportal_voucher_rolls.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Test Vouchers"), false, "status_captiveportal_test.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Expire Vouchers"), false, "status_captiveportal_expire.php?zone={$cpzone}");
+$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Active Vouchers"), false, "status_captiveportal_vouchers.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Voucher Rolls"), true, "status_captiveportal_voucher_rolls.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Test Vouchers"), false, "status_captiveportal_test.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Expire Vouchers"), false, "status_captiveportal_expire.php?zone=" . htmlspecialchars($cpzone));
 display_top_tabs($tab_array);
 ?>
 
diff --git a/src/usr/local/www/status_captiveportal_vouchers.php b/src/usr/local/www/status_captiveportal_vouchers.php
index 63b39d1..d0ad48a 100644
--- a/src/usr/local/www/status_captiveportal_vouchers.php
+++ b/src/usr/local/www/status_captiveportal_vouchers.php
@@ -40,16 +40,21 @@ if (isset($_POST['zone'])) {
 }
 $cpzone = strtolower($cpzone);
 
+if (!is_array($config['captiveportal'])) {
+	$config['captiveportal'] = array();
+}
+$a_cp =& $config['captiveportal'];
+/* If the zone does not exist, do not display the invalid zone */
+if (!array_key_exists($cpzone, $a_cp)) {
+	$cpzone = "";
+}
+
 if (empty($cpzone)) {
 	header("Location: services_captiveportal_zones.php");
 	exit;
 }
 
-if (!is_array($config['captiveportal'])) {
-	$config['captiveportal'] = array();
-}
-$a_cp =& $config['captiveportal'];
-$pgtitle = array(gettext("Status"), gettext("Captive Portal"), $a_cp[$cpzone]['zone'], gettext("Active Vouchers"));
+$pgtitle = array(gettext("Status"), gettext("Captive Portal"), htmlspecialchars($a_cp[$cpzone]['zone']), gettext("Active Vouchers"));
 $shortcut_section = "captiveportal-vouchers";
 
 function clientcmp($a, $b) {
@@ -97,11 +102,11 @@ if ($_GET['order']) {
 include("head.inc");
 
 $tab_array = array();
-$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Active Vouchers"), true, "status_captiveportal_vouchers.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Voucher Rolls"), false, "status_captiveportal_voucher_rolls.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Test Vouchers"), false, "status_captiveportal_test.php?zone={$cpzone}");
-$tab_array[] = array(gettext("Expire Vouchers"), false, "status_captiveportal_expire.php?zone={$cpzone}");
+$tab_array[] = array(gettext("Active Users"), false, "status_captiveportal.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Active Vouchers"), true, "status_captiveportal_vouchers.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Voucher Rolls"), false, "status_captiveportal_voucher_rolls.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Test Vouchers"), false, "status_captiveportal_test.php?zone=" . htmlspecialchars($cpzone));
+$tab_array[] = array(gettext("Expire Vouchers"), false, "status_captiveportal_expire.php?zone=" . htmlspecialchars($cpzone));
 display_top_tabs($tab_array);
 ?>