diff options
author | jim-p <jimp@pfsense.org> | 2015-07-01 11:32:25 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2015-07-01 11:32:25 -0400 |
commit | b741d2ef0047acf7b18b5748f1ec651eb7679909 (patch) | |
tree | 026b7cc16719b2214519b77f6dbd351660d02158 /usr | |
parent | 234cde4b5dcdeb332d5376b9c2c6f5a79fba9c24 (diff) | |
download | pfsense-b741d2ef0047acf7b18b5748f1ec651eb7679909.zip pfsense-b741d2ef0047acf7b18b5748f1ec651eb7679909.tar.gz |
Encode ca/cert descr in system_certmanager.php
Diffstat (limited to 'usr')
-rw-r--r-- | usr/local/www/system_certmanager.php | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/usr/local/www/system_certmanager.php b/usr/local/www/system_certmanager.php index 6dff39d..cd553e6 100644 --- a/usr/local/www/system_certmanager.php +++ b/usr/local/www/system_certmanager.php @@ -111,10 +111,9 @@ if ($act == "del") { exit; } - $name = $a_cert[$id]['descr']; unset($a_cert[$id]); write_config(); - $savemsg = sprintf(gettext("Certificate %s successfully deleted"), $name) . "<br />"; + $savemsg = sprintf(gettext("Certificate %s successfully deleted"), htmlspecialchars($a_cert[$id]['descr'])) . "<br />"; pfSenseHeader("system_certmanager.php"); exit; } @@ -314,6 +313,11 @@ if ($_POST) { } /* Make sure we do not have invalid characters in the fields for the certificate */ + + if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { + array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); + } + for ($i = 0; $i < count($reqdfields); $i++) { if (preg_match('/email/', $reqdfields[$i])) { /* dn_email or csr_dn_name */ if (preg_match("/[\!\#\$\%\^\(\)\~\?\>\<\&\/\\\,\"\']/", $_POST[$reqdfields[$i]])) { @@ -453,6 +457,10 @@ if ($_POST) { do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); + if (preg_match("/[\?\>\<\&\/\\\"\']/", $_POST['descr'])) { + array_push($input_errors, "The field 'Descriptive Name' contains invalid characters."); + } + // old way /* make sure this csr and certificate subjects match */ // $subj_csr = csr_get_subject($pconfig['csr'], false); @@ -728,7 +736,7 @@ function internalca_change() { $selected = " selected=\"selected\""; } ?> - <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=$ca['descr'];?></option> + <option value="<?=$ca['refid'];?>"<?=$selected;?>><?=htmlspecialchars($ca['descr']);?></option> <?php endforeach; ?> @@ -1060,7 +1068,7 @@ function internalca_change() { } $ca = lookup_ca($cert['caref']); if ($ca) { - $caname = " (CA: {$ca['descr']})"; + $caname = " (CA: " . htmlspecialchars($ca['descr']) . ")"; } if ($pconfig['certref'] == $cert['refid']) { $selected = " selected=\"selected\""; @@ -1072,7 +1080,7 @@ function internalca_change() { $revoked = " *Revoked"; } ?> - <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=$cert['descr'] . $caname . $inuse . $revoked;?></option> + <option value="<?=$cert['refid'];?>"<?=$selected;?>><?=htmlspecialchars($cert['descr']) . $caname . $inuse . $revoked;?></option> <?php endforeach; ?> @@ -1187,7 +1195,7 @@ function internalca_change() { $ca = lookup_ca($cert['caref']); if ($ca) { - $caname = $ca['descr']; + $caname = htmlspecialchars($ca['descr']); } if ($cert['prv']) { |