diff options
| author | jim-p <jimp@pfsense.org> | 2015-07-01 11:27:43 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2015-07-01 11:27:43 -0400 |
| commit | 234cde4b5dcdeb332d5376b9c2c6f5a79fba9c24 (patch) | |
| tree | 98156ee708dbf2343d12de893c7aedba1c50b3b0 /usr | |
| parent | 28bb81784f0ba3e147b1d78224b0a43d6675e714 (diff) | |
| download | pfsense-234cde4b5dcdeb332d5376b9c2c6f5a79fba9c24.zip pfsense-234cde4b5dcdeb332d5376b9c2c6f5a79fba9c24.tar.gz | |
Encode ca/cert/crl descr in system_crlmanager.php
Diffstat (limited to 'usr')
| -rw-r--r-- | usr/local/www/system_crlmanager.php | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/usr/local/www/system_crlmanager.php b/usr/local/www/system_crlmanager.php index 2866688..0198d84 100644 --- a/usr/local/www/system_crlmanager.php +++ b/usr/local/www/system_crlmanager.php @@ -98,7 +98,7 @@ if (!$thiscrl && (($act != "") && ($act != "new"))) { } if ($act == "del") { - $name = $thiscrl['descr']; + $name = htmlspecialchars($thiscrl['descr']); if (crl_in_use($id)) { $savemsg = sprintf(gettext("Certificate Revocation List %s is in use and cannot be deleted"), $name) . "<br />"; } else { @@ -184,19 +184,20 @@ if ($act == "delcert") { pfSenseHeader("system_crlmanager.php"); exit; } - $name = $thiscert['descr']; + $certname = htmlspecialchars($thiscert['descr']); + $crlname = htmlspecialchars($thiscrl['descr']); if (cert_unrevoke($thiscert, $thiscrl)) { - $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s"), $name, $thiscrl['descr']) . "<br />"; + $savemsg = sprintf(gettext("Deleted Certificate %s from CRL %s"), $certname, $crlname) . "<br />"; openvpn_refresh_crls(); - write_config(sprintf(gettext("Deleted Certificate %s from CRL %s"), $name, $thiscrl['descr'])); + write_config(sprintf(gettext("Deleted Certificate %s from CRL %s"), $certname, $crlname)); } else { - $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s"), $name, $thiscrl['descr']) . "<br />"; + $savemsg = sprintf(gettext("Failed to delete Certificate %s from CRL %s"), $certname, $crlname) . "<br />"; } $act="edit"; } if ($_POST) { - unset($input_errors); + $input_errors = array(); $pconfig = $_POST; /* input validation */ @@ -215,6 +216,10 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); + if (preg_match("/[\?\>\<\&\/\\\"\']/", $pconfig['descr'])) { + array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); + } + /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { input_errors2Ajax($input_errors); @@ -361,7 +366,7 @@ function method_change() { } $rowIndex++; ?> - <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>" <?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; if ($rowIndex == 0) { @@ -470,7 +475,7 @@ function method_change() { <table width="100%" border="0" cellpadding="0" cellspacing="0" summary="revoke"> <thead> <tr> - <th width="90%" class="listhdrr" colspan="3"><b><?php echo gettext("Currently Revoked Certificates for CRL") . ': ' . $crl['descr']; ?></b></th> + <th width="90%" class="listhdrr" colspan="3"><b><?php echo gettext("Currently Revoked Certificates for CRL") . ': ' . htmlspecialchars($crl['descr']); ?></b></th> <th width="10%" class="list"></th> </tr> <tr> @@ -633,11 +638,11 @@ function method_change() { <td class="list"> <?php if ($cainternal == "YES"): ?> <a href="system_crlmanager.php?act=new&caref=<?php echo $ca['refid']; ?>"> - <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Add or Import CRL for %s"), $ca['descr']);?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> + <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Add or Import CRL for %s"), htmlspecialchars($ca['descr']));?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> </a> <?php else: ?> <a href="system_crlmanager.php?act=new&caref=<?php echo $ca['refid']; ?>&importonly=yes"> - <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Import CRL for %s"), $ca['descr']);?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> + <img src="/themes/<?= $g['theme'];?>/images/icons/icon_plus.gif" title="<?php printf(gettext("Import CRL for %s"), htmlspecialchars($ca['descr']));?>" alt="<?=gettext("add crl");?>" width="17" height="17" border="0" /> </a> <?php endif; ?> </td> @@ -650,7 +655,7 @@ function method_change() { $inuse = crl_in_use($tmpcrl['refid']); ?> <tr> - <td class="listlr"><?php echo $tmpcrl['descr']; ?></td> + <td class="listlr"><?php echo htmlspecialchars($tmpcrl['descr']); ?></td> <td class="listr"><?php echo ($internal) ? "YES" : "NO"; ?></td> <td class="listr"><?php echo ($internal) ? count($tmpcrl['cert']) : "Unknown (imported)"; ?></td> <td class="listr"><?php echo ($inuse) ? "YES" : "NO"; ?></td> |
