summaryrefslogtreecommitdiffstats
path: root/usr/local/www/system_crlmanager.php
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2015-07-01 11:27:43 -0400
committerjim-p <jimp@pfsense.org>2015-07-01 11:27:43 -0400
commit234cde4b5dcdeb332d5376b9c2c6f5a79fba9c24 (patch)
tree98156ee708dbf2343d12de893c7aedba1c50b3b0 /usr/local/www/system_crlmanager.php
parent28bb81784f0ba3e147b1d78224b0a43d6675e714 (diff)
downloadpfsense-234cde4b5dcdeb332d5376b9c2c6f5a79fba9c24.zip
pfsense-234cde4b5dcdeb332d5376b9c2c6f5a79fba9c24.tar.gz
Encode ca/cert/crl descr in system_crlmanager.php
Diffstat (limited to 'usr/local/www/system_crlmanager.php')
-rw-r--r--usr/local/www/system_crlmanager.php27
1 files changed, 16 insertions, 11 deletions
diff --git a/usr/local/www/system_crlmanager.php b/usr/local/www/system_crlmanager.php
index 2866688..0198d84 100644
--- a/usr/local/www/system_crlmanager.php
+++ b/usr/local/www/system_crlmanager.php
@@ -98,7 +98,7 @@ if (!$thiscrl && (($act != "") && ($act != "new"))) {
}
if ($act == "del") {
- $name = $thiscrl['descr'];
+ $name = htmlspecialchars($thiscrl['descr']);
if (crl_in_use($id)) {
$savemsg = sprintf(gettext("Certificate Revocation List %s is in use and cannot be deleted"), $name) . "<br />";
} else {
@@ -184,19 +184,20 @@ if ($act == "delcert") {
pfSenseHeader("system_crlmanager.php");
exit;
}
- $name = $thiscert['descr'];
+ $certname = htmlspecialchars($thiscert['descr']);
+ $crlname = htmlspecialchars($thiscrl['descr']);
if (cert_unrevoke($thiscert, $thiscrl)) {
- $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s"), $name, $thiscrl['descr']) . "<br />";
+ $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s"), $certname, $crlname) . "<br />";
openvpn_refresh_crls();
- write_config(sprintf(gettext("Deleted Certificate %s from CRL %s"), $name, $thiscrl['descr']));
+ write_config(sprintf(gettext("Deleted Certificate %s from CRL %s"), $certname, $crlname));
} else {
- $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s"), $name, $thiscrl['descr']) . "<br />";
+ $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s"), $certname, $crlname) . "<br />";
}
$act="edit";
}
if ($_POST) {
- unset($input_errors);
+ $input_errors = array();
$pconfig = $_POST;
/* input validation */
@@ -215,6 +216,10 @@ if ($_POST) {
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
+ if (preg_match("/[\?\>\<\&\/\\\"\']/", $pconfig['descr'])) {
+ array_push($input_errors, "The field 'Descriptive Name' contains invalid characters.");
+ }
+
/* if this is an AJAX caller then handle via JSON */
if (isAjax() && is_array($input_errors)) {
input_errors2Ajax($input_errors);
@@ -361,7 +366,7 @@ function method_change() {
}
$rowIndex++;
?>
- <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option>
+ <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option>
<?php
endforeach;
if ($rowIndex == 0) {
@@ -470,7 +475,7 @@ function method_change() {
<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="revoke">
<thead>
<tr>
- <th width="90%" class="listhdrr" colspan="3"><b><?php echo gettext("Currently Revoked Certificates for CRL") . ': ' . $crl['descr']; ?></b></th>
+ <th width="90%" class="listhdrr" colspan="3"><b><?php echo gettext("Currently Revoked Certificates for CRL") . ': ' . htmlspecialchars($crl['descr']); ?></b></th>
<th width="10%" class="list"></th>
</tr>
<tr>
@@ -633,11 +638,11 @@ function method_change() {
<td class="list">
<?php if ($cainternal == "YES"): ?>
<a href="system_crlmanager.php?act=new&amp;caref=<?php echo $ca['refid']; ?>">
- <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Add or Import CRL for %s"), $ca['descr']);?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" />
+ <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Add or Import CRL for %s"), htmlspecialchars($ca['descr']));?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" />
</a>
<?php else: ?>
<a href="system_crlmanager.php?act=new&amp;caref=<?php echo $ca['refid']; ?>&amp;importonly=yes">
- <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Import CRL for %s"), $ca['descr']);?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" />
+ <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Import CRL for %s"), htmlspecialchars($ca['descr']));?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" />
</a>
<?php endif; ?>
</td>
@@ -650,7 +655,7 @@ function method_change() {
$inuse = crl_in_use($tmpcrl['refid']);
?>
<tr>
- <td class="listlr"><?php echo $tmpcrl['descr']; ?></td>
+ <td class="listlr"><?php echo htmlspecialchars($tmpcrl['descr']); ?></td>
<td class="listr"><?php echo ($internal) ? "YES" : "NO"; ?></td>
<td class="listr"><?php echo ($internal) ? count($tmpcrl['cert']) : "Unknown (imported)"; ?></td>
<td class="listr"><?php echo ($inuse) ? "YES" : "NO"; ?></td>
OpenPOWER on IntegriCloud