summaryrefslogtreecommitdiffstats
path: root/usr/local/www
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2012-10-31 13:33:44 -0400
committerjim-p <jimp@pfsense.org>2012-10-31 13:33:44 -0400
commit1457cce53e604935dbc737bb7cfd4de64a957be5 (patch)
treed97357c647ff4d2b40e87a95313fc61251a7efb8 /usr/local/www
parent56143f06c27edc4bfa88caa79ebed8d544c122b2 (diff)
downloadpfsense-1457cce53e604935dbc737bb7cfd4de64a957be5.zip
pfsense-1457cce53e604935dbc737bb7cfd4de64a957be5.tar.gz
Escape parameters better when managing tables. Fix test to allow deleting subnet entries as well as IPs.
Diffstat (limited to 'usr/local/www')
-rw-r--r--usr/local/www/diag_tables.php12
1 files changed, 6 insertions, 6 deletions
diff --git a/usr/local/www/diag_tables.php b/usr/local/www/diag_tables.php
index eba3d5f..c040907 100644
--- a/usr/local/www/diag_tables.php
+++ b/usr/local/www/diag_tables.php
@@ -52,7 +52,7 @@ if($_REQUEST['type'])
$tablename = $_REQUEST['type'];
if($_REQUEST['delete']) {
- if(is_ipaddr($_REQUEST['delete'])) {
+ if(is_ipaddr($_REQUEST['delete']) || is_subnet($_REQUEST['delete'])) {
exec("/sbin/pfctl -t " . escapeshellarg($_REQUEST['type']) . " -T delete " . escapeshellarg($_REQUEST['delete']), $delete);
echo htmlentities($_REQUEST['delete']);
}
@@ -60,7 +60,7 @@ if($_REQUEST['delete']) {
}
if($_REQUEST['deleteall']) {
- exec("/sbin/pfctl -t $tablename -T show", $entries);
+ exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T show", $entries);
if(is_array($entries)) {
foreach($entries as $entryA) {
$entry = trim($entryA);
@@ -86,7 +86,7 @@ if(($tablename == "bogons") && ($_POST['Download'])) {
$savemsg = gettext("The bogons database has been updated.");
}
-exec("/sbin/pfctl -t $tablename -T show", $entries);
+exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T show", $entries);
exec("/sbin/pfctl -sT", $tables);
include("head.inc");
@@ -103,7 +103,7 @@ include("fbegin.inc");
window.location='diag_tables.php?type=' + entrytype;
}
function del_entry(entry) {
- new Ajax.Request("diag_tables.php?type=<?php echo $tablename;?>&delete=" + entry, {
+ new Ajax.Request("diag_tables.php?type=<?php echo htmlspecialchars($tablename);?>&delete=" + entry, {
onComplete: function(response) {
if (200 == response.status)
new Effect.Fade($(response.responseText), { duration: 1.0 } );
@@ -137,7 +137,7 @@ include("fbegin.inc");
</td>
<td>
<?php if ($tablename != "bogons") { ?>
- <a onClick='del_entry("<?=$entry?>");'>
+ <a onClick='del_entry("<?=htmlspecialchars($entry)?>");'>
<img img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif">
<?php } ?>
</a>
@@ -156,7 +156,7 @@ include("fbegin.inc");
if($tablename == "bogons")
echo "<input name='Download' type='submit' class='formbtn' value='" . gettext("Download") . "'> " . gettext(" the latest bogon data.");
else
- echo "<p/>" . gettext("Delete") . " <a href='diag_tables.php?deleteall=true&type={$tablename}'>" . gettext("all") . "</a> " . gettext("entries in this table.");
+ echo "<p/>" . gettext("Delete") . " <a href='diag_tables.php?deleteall=true&type=" . htmlspecialchars($tablename) . "'>" . gettext("all") . "</a> " . gettext("entries in this table.");
?>
<?php include("fend.inc"); ?>
OpenPOWER on IntegriCloud