diff options
| -rw-r--r-- | etc/inc/auth.inc | 22 | ||||
| -rw-r--r-- | etc/inc/config.lib.inc | 32 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 2 | ||||
| -rw-r--r-- | usr/local/www/edit.php | 4 |
4 files changed, 55 insertions, 5 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 67ea8c6..9de5044 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -49,6 +49,9 @@ if(!$do_not_include_config_gui_inc) require_once("config.gui.inc"); +// Will be changed to false if security checks fail +$security_passed = true; + /* If this function doesn't exist, we're being called from Captive Portal or another internal subsystem which does not include authgui.inc */ if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { @@ -84,8 +87,11 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ } if($found_host == false) { - display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); - exit; + if(!security_checks_disabled()) { + display_error_form("501", "Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br/>Try accessing the router by IP address instead of by hostname."); + exit; + } + $security_passed = false; } } @@ -127,12 +133,20 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui'][' } } if($found_host == false) { - display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); - exit; + if(!security_checks_disabled()) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin."); + exit; + } + $security_passed = false; } } } +if (function_exists("display_error_form") && $security_passed) + /* Security checks passed, so it should be OK to turn them back on */ + restore_security_checks(); +unset($security_passed); + $groupindex = index_groups(); $userindex = index_users(); diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index 4feef0f..f8c408d 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -210,6 +210,7 @@ function restore_backup($file) { conf_mount_rw(); unlink_if_exists("{$g['tmp_path']}/config.cache"); copy("$file","/cf/conf/config.xml"); + disable_security_checks(); log_error("{$g['product_name']} is restoring the configuration $file"); file_notice("config.xml", "{$g['product_name']} is restoring the configuration $file", "pfSenseConfigurator", ""); conf_mount_ro(); @@ -569,6 +570,8 @@ function reset_factory_defaults($lock = false) { /* copy default configuration */ copy("{$g['conf_default_path']}/config.xml", "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* call the wizard */ touch("/conf/trigger_initial_wizard"); if (!$lock) @@ -593,6 +596,8 @@ function config_restore($conffile) { unlink_if_exists("{$g['tmp_path']}/config.cache"); copy($conffile, "{$g['cf_conf_path']}/config.xml"); + disable_security_checks(); + unlock($lockkey); $config = parse_config(true); @@ -623,6 +628,8 @@ function config_install($conffile) { copy($conffile, "{$g['conf_path']}/config.xml"); + disable_security_checks(); + /* unlink cache file if it exists */ if(file_exists("{$g['tmp_path']}/config.cache")) unlink("{$g['tmp_path']}/config.cache"); @@ -633,6 +640,31 @@ function config_install($conffile) { return 0; } +/* + * Disable security checks for DNS rebind and HTTP referrer until next time + * they pass (or reboot), to aid in preventing accidental lockout when + * restoring settings like hostname, domain, IP addresses, and settings + * related to the DNS rebind and HTTP referrer checks. + * Intended for use when restoring a configuration or directly + * modifying config.xml without an unconditional reboot. + */ +function disable_security_checks() { + global $g; + touch("{$g['tmp_path']}/disable_security_checks"); +} + +/* Restores security checks. Should be called after all succeed. */ +function restore_security_checks() { + global $g; + unlink_if_exists("{$g['tmp_path']}/disable_security_checks"); +} + +/* Returns status of security check temporary disable. */ +function security_checks_disabled() { + global $g; + return file_exists("{$g['tmp_path']}/disable_security_checks"); +} + function config_validate($conffile) { global $g, $xmlerr; diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 5e1d721..7ffbf24 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -550,6 +550,7 @@ function restore_config_section($section, $new_contents) { if(file_exists("{$g['tmp_path']}/config.cache")) unlink("{$g['tmp_path']}/config.cache"); write_config("Restored {$section} of config file (maybe from CARP partner)"); + disable_security_checks(); conf_mount_ro(); return; } @@ -571,6 +572,7 @@ function merge_config_section($section, $new_contents) { $config[$section] = $section_xml; unlink($fname); write_config("Restored {$section} of config file (maybe from CARP partner)"); + disable_security_checks(); conf_mount_ro(); return; } diff --git a/usr/local/www/edit.php b/usr/local/www/edit.php index 9236c3f..3b94d69 100644 --- a/usr/local/www/edit.php +++ b/usr/local/www/edit.php @@ -58,9 +58,11 @@ if($_REQUEST['action']) { $_REQUEST['data'] = str_replace("\r", "", base64_decode($_REQUEST['data'])); $ret = file_put_contents($_REQUEST['file'], $_REQUEST['data']); conf_mount_ro(); - if($_REQUEST['file'] == "config.xml") + if($_REQUEST['file'] == "/conf/config.xml" || $_REQUEST['file'] == "/cf/conf/config.xml") { if(file_exists("/tmp/config.cache")) unlink("/tmp/config.cache"); + disable_security_checks(); + } if($ret === false) { echo "|" . gettext("Failed to write file") . ".|"; } elseif($ret <> strlen($_REQUEST['data'])) { |
