diff options
-rw-r--r-- | etc/inc/auth.inc | 26 | ||||
-rw-r--r-- | etc/inc/authgui.inc | 2 | ||||
-rw-r--r-- | etc/inc/util.inc | 15 | ||||
-rw-r--r-- | usr/local/www/system_advanced_admin.php | 20 |
4 files changed, 61 insertions, 2 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 13ca678..e7484c1 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -86,6 +86,32 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ } } +// If the HTTP_REFERER is something other than ourselves then disallow. +if(!$config['system']['nohttpreferercheck']) { + if($_SERVER['HTTP_REFERER']) { + $found_host = false; + $hostname_me = $config['system']['hostname'] . "." . $config['system']['domain']; + if(stristr($_SERVER['HTTP_REFERER'], $hostname_me)) + $found_host = true; + if(!empty($config['system']['webgui']['althostnames'])) { + $althosts = explode(" ", $config['system']['webgui']['althostnames']); + foreach ($althosts as $ah) + if(stristr($ah, $hostname_me)) + $found_host = true; + } + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + $hostname_me_ip = $config['webgui']['protocol'] . "://" . $ilips; + if(stristr($hostname_me_ip, $ilips)) + $found_host = true; + } + if($found_host == false) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . $_SERVER['HTTP_REFERER'] . "). You can disable this check if needed in System -> Advanced -> Admin."); + exit; + } + } +} + $groupindex = index_groups(); $userindex = index_users(); diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index e0bea3d..ee98f1c 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -261,4 +261,4 @@ if($config['virtualip']) <?php } // end function -?> +?>
\ No newline at end of file diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 0551d40..4b74a7f 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -624,6 +624,21 @@ function get_configured_interface_with_descr($only_opt = false, $withdisabled = return $iflist; } +/* + * get_configured_ip_addresses() - Return a list of all configured + * interfaces IP Addresses + * + */ +function get_configured_ip_addresses() { + require_once("interfaces.inc"); + $ip_array = array(); + $interfaces = get_configured_interface_list(); + foreach($interfaces as $int) { + $ipaddr = get_interface_ip($int); + $ip_array[$int] = $ipaddr; + } + return $ip_array; +} /* * get_interface_list() - Return a list of all physical interfaces diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index f34d1c7..7875802 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -3,7 +3,7 @@ /* system_advanced_admin.php part of pfSense - Copyright (C) 2005-2007 Scott Ullrich + Copyright (C) 2005-2010 Scott Ullrich Copyright (C) 2008 Shrew Soft Inc @@ -56,6 +56,7 @@ $pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttp $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']); +$pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']); $pconfig['althostnames'] = $config['system']['webgui']['althostnames']; $pconfig['enableserial'] = $config['system']['enableserial']; $pconfig['enablesshd'] = $config['system']['enablesshd']; @@ -140,6 +141,11 @@ if ($_POST) { else unset($config['system']['webgui']['nodnsrebindcheck']); + if ($_POST['nohttpreferercheck'] == "yes") + $config['system']['webgui']['nohttpreferercheck'] = true; + else + unset($config['system']['webgui']['nohttpreferercheck']); + if ($_POST['althostnames']) $config['system']['webgui']['althostnames'] = $_POST['althostnames']; else @@ -360,6 +366,18 @@ function prot_change() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Browser HTTP_REFERER enforcement"); ?></td> + <td width="78%" class="vtable"> + <input name="nohttpreferercheck" type="checkbox" id="nohttpreferercheck" value="yes" <?php if ($pconfig['nohttpreferercheck']) echo "checked"; ?> /> + <strong><?=gettext("Disable HTTP_REFERER enforcement check"); ?></strong> + <br/> + <?php echo gettext("When this is unchecked, access to the webConfigurator " . + "is protected against HTTP_REFERER redirection attempts. " . + "Check this box to disable this protection if you find that it interferes with " . + "webConfigurator access in certain corner cases such as using 3rd party scripts to interact with pfSense. More information on HTTP_REFERER is available from <a href='http://en.wikipedia.org/wiki/HTTP_referrer'>Wikipedia</a>."); ?> + </td> + </tr> + <tr> <td colspan="2" class="list" height="12"> </td> </tr> <tr> |