diff options
| author | jim-p <jimp@pfsense.org> | 2015-07-01 11:20:24 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2015-07-01 11:20:24 -0400 |
| commit | f08e24a389543908e4934e13af87221a803b0559 (patch) | |
| tree | 19fb56652808c42052c76c824b72a29588c44b4c /usr/local/www | |
| parent | 009bd5fea3306e7e3a2365130e5e8672dc312b67 (diff) | |
| download | pfsense-f08e24a389543908e4934e13af87221a803b0559.zip pfsense-f08e24a389543908e4934e13af87221a803b0559.tar.gz | |
Encode ca/cert/crl descr in system_crlmanager.php
Diffstat (limited to 'usr/local/www')
| -rw-r--r-- | usr/local/www/system_crlmanager.php | 34 |
1 files changed, 18 insertions, 16 deletions
diff --git a/usr/local/www/system_crlmanager.php b/usr/local/www/system_crlmanager.php index 8438ede..c1ed823 100644 --- a/usr/local/www/system_crlmanager.php +++ b/usr/local/www/system_crlmanager.php @@ -89,7 +89,7 @@ if (!$thiscrl && (($act != "") && ($act != "new"))) { } if ($act == "del") { - $name = $thiscrl['descr']; + $name = htmlspecialchars($thiscrl['descr']); if (crl_in_use($id)) { $savemsg = sprintf(gettext("Certificate Revocation List %s is in use and cannot be deleted"), $name) . "<br />"; } else { @@ -173,19 +173,20 @@ if ($act == "delcert") { pfSenseHeader("system_crlmanager.php"); exit; } - $name = $thiscert['descr']; + $certname = htmlspecialchars($thiscert['descr']); + $crlname = htmlspecialchars($thiscrl['descr']); if (cert_unrevoke($thiscert, $thiscrl)) { - $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s"), $name, $thiscrl['descr']) . "<br />"; + $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s"), $certname, $crlname) . "<br />"; openvpn_refresh_crls(); - write_config(sprintf(gettext("Deleted Certificate %s from CRL %s"), $name, $thiscrl['descr'])); + write_config(sprintf(gettext("Deleted Certificate %s from CRL %s"), $certname, $crlname)); } else { - $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s"), $name, $thiscrl['descr']) . "<br />"; + $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s"), $certname, $crlname) . "<br />"; } $act="edit"; } if ($_POST) { - unset($input_errors); + $input_errors = array(); $pconfig = $_POST; /* input validation */ @@ -205,6 +206,10 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); + if (preg_match("/[\?\>\<\&\/\\\"\']/", $pconfig['descr'])) { + array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); + } + /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { input_errors2Ajax($input_errors); @@ -341,7 +346,7 @@ function method_change() { $selected = "selected=\"selected\""; $rowIndex++; ?> - <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; if ($rowIndex == 0) echo "<option></option>"; @@ -444,7 +449,7 @@ function method_change() { <table width="100%" border="0" cellpadding="0" cellspacing="0" summary="revoke"> <thead> <tr> - <th width="90%" class="listhdrr" colspan="3"><b><?php echo gettext("Currently Revoked Certificates for CRL") . ': ' . $crl['descr']; ?></b></th> + <th width="90%" class="listhdrr" colspan="3"><b><?php echo gettext("Currently Revoked Certificates for CRL") . ': ' . htmlspecialchars($crl['descr']); ?></b></th> <th width="10%" class="list"></th> </tr> <tr> @@ -465,11 +470,10 @@ function method_change() { </tr> <?php else: foreach($crl['cert'] as $i => $cert): - $name = htmlspecialchars($cert['descr']); ?> <tr> <td class="listlr"> - <?php echo $name; ?> + <?php echo htmlspecialchars($cert['descr']); ?> </td> <td class="listlr"> <?php echo $openssl_crl_status[$cert["reason"]]; ?> @@ -563,8 +567,6 @@ function method_change() { $i = 0; foreach($a_ca as $ca): - $name = htmlspecialchars($ca['descr']); - if($ca['prv']) { $cainternal = "YES"; } else @@ -578,7 +580,7 @@ function method_change() { <img src="<?=$caimg;?>" alt="CA" title="CA" border="0" height="16" width="16" /> </td> <td align="left" valign="middle"> - <?=$name;?> + <?=htmlspecialchars($ca['descr']);?> </td> </tr> </table> @@ -586,11 +588,11 @@ function method_change() { <td class="list"> <?php if ($cainternal == "YES"): ?> <a href="system_crlmanager.php?act=new&caref=<?php echo $ca['refid']; ?>"> - <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Add or Import CRL for %s"),$ca['descr']);?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> + <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Add or Import CRL for %s"),htmlspecialchars($ca['descr']));?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> </a> <?php else: ?> <a href="system_crlmanager.php?act=new&caref=<?php echo $ca['refid']; ?>&importonly=yes"> - <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Import CRL for %s"),$ca['descr']);?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> + <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Import CRL for %s"),htmlspecialchars($ca['descr']));?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> </a> <?php endif; ?> </td> @@ -604,7 +606,7 @@ function method_change() { $inuse = crl_in_use($tmpcrl['refid']); ?> <tr> - <td class="listlr"><?php echo $tmpcrl['descr']; ?></td> + <td class="listlr"><?php echo htmlspecialchars($tmpcrl['descr']); ?></td> <td class="listr"><?php echo ($internal) ? "YES" : "NO"; ?></td> <td class="listr"><?php echo ($internal) ? count($tmpcrl['cert']) : "Unknown (imported)"; ?></td> <td class="listr"><?php echo ($inuse) ? "YES" : "NO"; ?></td> |
