summaryrefslogtreecommitdiffstats
path: root/usr/local/www
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2015-07-01 11:36:22 -0400
committerjim-p <jimp@pfsense.org>2015-07-01 11:36:22 -0400
commitb75cdd94a7f6f571238dd313d5f499f05f819221 (patch)
treea9e946b362405b8345570fbe647a6718198270e9 /usr/local/www
parentb741d2ef0047acf7b18b5748f1ec651eb7679909 (diff)
downloadpfsense-b75cdd94a7f6f571238dd313d5f499f05f819221.zip
pfsense-b75cdd94a7f6f571238dd313d5f499f05f819221.tar.gz
Encode ca/cert descr in system_certmanager.php
Diffstat (limited to 'usr/local/www')
-rw-r--r--usr/local/www/system_camanager.php10
1 files changed, 7 insertions, 3 deletions
diff --git a/usr/local/www/system_camanager.php b/usr/local/www/system_camanager.php
index 58407ca..368b30c 100644
--- a/usr/local/www/system_camanager.php
+++ b/usr/local/www/system_camanager.php
@@ -105,7 +105,7 @@ if ($act == "del") {
$name = $a_ca[$id]['descr'];
unset($a_ca[$id]);
write_config();
- $savemsg = sprintf(gettext("Certificate Authority %s and its CRLs (if any) successfully deleted"), $name) . "<br />";
+ $savemsg = sprintf(gettext("Certificate Authority %s and its CRLs (if any) successfully deleted"), htmlspecialchars($name)) . "<br />";
pfSenseHeader("system_camanager.php");
exit;
}
@@ -222,6 +222,10 @@ if ($_POST) {
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if ($pconfig['method'] != "existing") {
/* Make sure we do not have invalid characters in the fields for the certificate */
+ if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) {
+ array_push($input_errors, "The field 'Descriptive Name' contains invalid characters.");
+ }
+
for ($i = 0; $i < count($reqdfields); $i++) {
if ($reqdfields[$i] == 'dn_email') {
if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST["dn_email"])) {
@@ -486,7 +490,7 @@ function method_change() {
$selected = " selected=\"selected\"";
}
?>
- <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=$ca['descr'];?></option>
+ <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option>
<?php
endforeach;
?>
@@ -655,7 +659,7 @@ function method_change() {
$issuer_ca = lookup_ca($ca['caref']);
if ($issuer_ca) {
- $issuer_name = $issuer_ca['descr'];
+ $issuer_name = htmlspecialchars($issuer_ca['descr']);
}
// TODO : Need gray certificate icon
OpenPOWER on IntegriCloud