diff options
| -rw-r--r-- | etc/inc/authgui.inc | 6 | ||||
| -rw-r--r-- | etc/inc/config.lib.inc | 9 | ||||
| -rw-r--r-- | etc/inc/pfsense-utils.inc | 7 | ||||
| -rwxr-xr-x | usr/local/www/firewall_virtual_ip.php | 3 | ||||
| -rw-r--r-- | usr/local/www/headjs.php | 3 | ||||
| -rwxr-xr-x | usr/local/www/system_firmware.php | 5 | ||||
| -rw-r--r-- | usr/local/www/system_usermanager_passwordmg.php | 5 | ||||
| -rw-r--r-- | usr/local/www/upload_progress.php | 4 |
8 files changed, 39 insertions, 3 deletions
diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index f87494b..85771a0 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -87,6 +87,12 @@ if (!$_SESSION['Post_Login']) { exit; } +/* + * Close session data to allow other scripts from same host to come in. + * A session can be reactivated from calling session_start again + */ +session_commit(); + /* * determine if the user is allowed access to the requested page */ diff --git a/etc/inc/config.lib.inc b/etc/inc/config.lib.inc index dc57b41..1647d7d 100644 --- a/etc/inc/config.lib.inc +++ b/etc/inc/config.lib.inc @@ -497,15 +497,22 @@ function write_config($desc="Unknown", $backup = true) { log_error("WARNING! Configuration written on bootup. This can cause stray openvpn and load balancing items in config.xml"); */ + if (!session_id()) + session_start(); if (!empty($_SESSION['Username']) && ($_SESSION['Username'] != "admin")) { $user = getUserEntry($_SESSION['Username']); - if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) + if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) { + session_commit(); return false; + } } + $username = empty($_SESSION["Username"]) ? "(system)" : $_SESSION['Username']; if (!empty($_SERVER['REMOTE_ADDR'])) $username .= '@' . $_SERVER['REMOTE_ADDR']; + session_commit(); + if($backup) backup_config(); diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 9ebf3c1..4807350 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -50,8 +50,13 @@ ******/ function have_natonetooneruleint_access($if) { $security_url = "firewall_nat_1to1_edit.php?if=". strtolower($if); - if(isAllowedPage($security_url, $_SESSION['Username'])) + if (!session_id()) + session_start(); + if(isAllowedPage($security_url, $_SESSION['Username'])) { + session_commit(); return true; + } + session_commit(); return false; } diff --git a/usr/local/www/firewall_virtual_ip.php b/usr/local/www/firewall_virtual_ip.php index e4aee0d..f2de3ea 100755 --- a/usr/local/www/firewall_virtual_ip.php +++ b/usr/local/www/firewall_virtual_ip.php @@ -124,11 +124,14 @@ if ($_GET['act'] == "del") { if (!$input_errors) { + if (!session_id()) + session_start(); $user = getUserEntry($_SESSION['Username']); if (is_array($user) && userHasPrivilege($user, "user-config-readonly")) { header("Location: firewall_virtual_ip.php"); exit; } + session_commit(); // Special case since every proxyarp vip is handled by the same daemon. if ($a_vip[$_GET['id']]['mode'] == "proxyarp") { diff --git a/usr/local/www/headjs.php b/usr/local/www/headjs.php index 4cf1ab2..197d806 100644 --- a/usr/local/www/headjs.php +++ b/usr/local/www/headjs.php @@ -48,7 +48,10 @@ function getHeadJS() { var input_errors = ''; jQuery(document).ready(init); "; + if (!session_id()) + session_start(); $_SESSION['NO_AJAX'] == "True" ? $noajax = "var noAjaxOnSubmit = true;" : $noajax = "var noAjaxOnSubmit = false;"; + session_commit(); $headjs .= " {$noajax} diff --git a/usr/local/www/system_firmware.php b/usr/local/www/system_firmware.php index 1a54d0d..26ead4b 100755 --- a/usr/local/www/system_firmware.php +++ b/usr/local/www/system_firmware.php @@ -213,7 +213,10 @@ include("head.inc"); <form action="system_firmware.php" method="post" enctype="multipart/form-data"> <?php /* Construct an upload_id for this session */ - $upload_id = "up". $_SESSION['Username']; + if (!session_id()) + $upload_id = uniqid(); + else + $upload_id = session_id(); ?> <input type="hidden" name="UPLOAD_IDENTIFIER" value="<?php echo $upload_id;?>" /> <?php include("fbegin.inc"); ?> diff --git a/usr/local/www/system_usermanager_passwordmg.php b/usr/local/www/system_usermanager_passwordmg.php index 0d64599..895d28d 100644 --- a/usr/local/www/system_usermanager_passwordmg.php +++ b/usr/local/www/system_usermanager_passwordmg.php @@ -64,12 +64,17 @@ if (isset($_POST['save'])) { } } +if (!session_id()) + session_start(); + /* determine if user is not local to system */ $islocal = false; foreach($config['system']['user'] as $user) if($user['name'] == $_SESSION['Username']) $islocal = true; +session_commit(); + include("head.inc"); ?> diff --git a/usr/local/www/upload_progress.php b/usr/local/www/upload_progress.php index 344ae67..812f7b7 100644 --- a/usr/local/www/upload_progress.php +++ b/usr/local/www/upload_progress.php @@ -38,12 +38,16 @@ include("guiconfig.inc"); +if (!session_id()) + session_start(); + // sanitize the ID value $id = $_SESSION['uploadid']; if (!$id) { echo gettext("Sorry, we could not find an uploadid code."); exit; } +session_commit(); // retrieve the upload data from APC $info = uploadprogress_get_info($id); |
