diff options
author | Ermal <eri@pfsense.org> | 2013-01-21 21:07:33 +0000 |
---|---|---|
committer | Ermal <eri@pfsense.org> | 2013-01-21 21:07:33 +0000 |
commit | ed97b2cb72a945a1a6aa91b4ba244bad830eea04 (patch) | |
tree | fc91803ecead49c917b14e01748b1cf97c15e9db /usr/local/www | |
parent | 3760b867c234e7f34c21b9ce11c0e744abb0f3bc (diff) | |
download | pfsense-ed97b2cb72a945a1a6aa91b4ba244bad830eea04.zip pfsense-ed97b2cb72a945a1a6aa91b4ba244bad830eea04.tar.gz |
Validate the cpzone parameter passed that it actually is a valid zone
Diffstat (limited to 'usr/local/www')
-rw-r--r-- | usr/local/www/services_captiveportal_vouchers.php | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/usr/local/www/services_captiveportal_vouchers.php b/usr/local/www/services_captiveportal_vouchers.php index b41a4bc..5158709 100644 --- a/usr/local/www/services_captiveportal_vouchers.php +++ b/usr/local/www/services_captiveportal_vouchers.php @@ -79,6 +79,13 @@ $a_cp =& $config['captiveportal']; if (!is_array($config['voucher'])) $config['voucher'] = array(); +if (empty($a_cp[$cpzone])) { + log_error("Submission on captiveportal page with unknown zone parameter: " . htmlspecialchars($cpzone)); + header("Location: services_captiveportal_zones.php"); + exit; +} + + $pgtitle = array(gettext("Services"), gettext("Captive portal"), gettext("Vouchers"), $a_cp[$cpzone]['zone']); $shortcut_section = "captiveportal-vouchers"; @@ -157,7 +164,8 @@ else if ($_GET['act'] == "csv") { $count = $a_voucher[$id]['count']; header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; filename=vouchers_{$cpzone}_roll{$number}.csv"); - system("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher_{$cpzone}.cfg -p {$g['varetc_path']}/voucher_{$cpzone}.private $number $count"); + if (file_exists("{$g['varetc_path']}/voucher_{$cpzone}.cfg")) + system("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher_{$cpzone}.cfg -p {$g['varetc_path']}/voucher_{$cpzone}.private $number $count"); unlink("{$g['varetc_path']}/voucher_{$cpzone}.private"); exit; } |