diff options
56 files changed, 619 insertions, 376 deletions
diff --git a/conf.default/config.xml b/conf.default/config.xml index 6a6da59..8979fc3 100644 --- a/conf.default/config.xml +++ b/conf.default/config.xml @@ -1,6 +1,6 @@ <?xml version="1.0"?> <pfsense> - <version>11.8</version> + <version>11.9</version> <lastchange/> <theme>pfsense_ng</theme> <system> diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index e216289..fbbaba1 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -919,7 +919,11 @@ function ldap_get_groups($username, $authcfg) { $ldapauthcont = $authcfg['ldap_authcn']; $ldapnameattribute = strtolower($authcfg['ldap_attr_user']); $ldapgroupattribute = strtolower($authcfg['ldap_attr_member']); - $ldapfilter = "({$ldapnameattribute}={$username})"; + if (isset($authcfg['ldap_rfc2307'])) { + $ldapfilter = "(&(objectClass={$authcfg['ldap_attr_groupobj']})({$ldapgroupattribute}={$username}))"; + } else { + $ldapfilter = "({$ldapnameattribute}={$username})"; + } $ldaptype = ""; $ldapver = $authcfg['ldap_protver']; if (empty($ldapbindun) || empty($ldapbindpw)) @@ -929,10 +933,15 @@ function ldap_get_groups($username, $authcfg) { $ldapname = $authcfg['name']; $ldapfallback = false; $ldapscope = $authcfg['ldap_scope']; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 25; } else return false; - $ldapdn = $_SESSION['ldapdn']; + if (isset($authcfg['ldap_rfc2307'])) { + $ldapdn = $ldapbasedn; + } else { + $ldapdn = $_SESSION['ldapdn']; + } /*Convert attribute to lowercase. php ldap arrays put everything in lowercase */ $ldapgroupattribute = strtolower($ldapgroupattribute); @@ -954,6 +963,8 @@ function ldap_get_groups($username, $authcfg) { ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); + ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); /* bind as user that has rights to read group attributes */ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; @@ -982,14 +993,15 @@ function ldap_get_groups($username, $authcfg) { $search = @$ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute)); $info = @ldap_get_entries($ldap, $search); - $countem = $info["count"]; - - if(is_array($info[0][$ldapgroupattribute])) { + $gresults = isset($authcfg['ldap_rfc2307']) ? $info : $info[0][$ldapgroupattribute]; + + if(is_array($gresults)) { /* Iterate through the groups and throw them into an array */ - foreach ($info[0][$ldapgroupattribute] as $member) { - if (stristr($member, "CN=") !== false) { - $membersplit = explode(",", $member); - $memberof[] = preg_replace("/CN=/i", "", $membersplit[0]); + foreach ($gresults as $grp) { + if (((isset($authcfg['ldap_rfc2307'])) && (stristr($grp["dn"], "CN=") !== false)) + || ((!isset($authcfg['ldap_rfc2307'])) && (stristr($grp, "CN=") !== false))) { + $grpsplit = isset($authcfg['ldap_rfc2307']) ? explode(",", $grp["dn"]) : explode(",", $grp); + $memberof[] = preg_replace("/CN=/i", "", $grpsplit[0]); } } } @@ -1060,6 +1072,7 @@ function ldap_backed($username, $passwd, $authcfg) { $ldapver = $authcfg['ldap_protver']; $ldapname = $authcfg['name']; $ldapscope = $authcfg['ldap_scope']; + $ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 25; } else return false; @@ -1080,6 +1093,8 @@ function ldap_backed($username, $passwd, $authcfg) { ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0); ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout); + ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout); /* Make sure we can connect to LDAP */ $error = false; @@ -1236,6 +1251,24 @@ function radius_backed($username, $passwd, $authcfg, &$attributes = array()) { return $ret; } +/* + $attributes must contain a "class" key containing the groups and local + groups must exist to match. +*/ +function radius_get_groups($attributes) { + $groups = array(); + if (!empty($attributes) && is_array($attributes) && !empty($attributes['class'])) { + $groups = explode(";", $attributes['class']); + foreach ($groups as & $grp) { + $grp = trim($grp); + if (strtolower(substr($grp, 0, 3)) == "ou=") { + $grp = substr($grp, 3); + } + } + } + return $groups; +} + function get_user_expiration_date($username) { $user = getUserEntry($username); if ($user['expires']) @@ -1289,7 +1322,7 @@ function auth_get_authserver_list() { return $list; } -function getUserGroups($username, $authcfg) { +function getUserGroups($username, $authcfg, &$attributes = array()) { global $config; $allowed_groups = array(); @@ -1299,6 +1332,7 @@ function getUserGroups($username, $authcfg) { $allowed_groups = @ldap_get_groups($username, $authcfg); break; case 'radius': + $allowed_groups = @radius_get_groups($attributes); break; default: $user = getUserEntry($username); @@ -1363,14 +1397,16 @@ function session_auth() { return false; /* Validate incoming login request */ + $attributes = array(); if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); - if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) || - authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { + if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes) || + authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) { // Generate a new id to avoid session fixation session_regenerate_id(); $_SESSION['Logged_In'] = "True"; $_SESSION['Username'] = $_POST['usernamefld']; + $_SESSION['user_radius_attributes'] = $attributes; $_SESSION['last_access'] = time(); $_SESSION['protocol'] = $config['system']['webgui']['protocol']; if(! isset($config['system']['webgui']['quietlogin'])) { diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index 0999452..2ca4aa5 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -53,7 +53,7 @@ if (!session_auth()) { * We give them access only to the appropriate pages based on * the user or group privileges. */ -$allowedpages = getAllowedPages($_SESSION['Username']); +$allowedpages = getAllowedPages($_SESSION['Username'], $_SESSION['user_radius_attributes']); /* * redirect to first allowed page if requesting a wrong url diff --git a/etc/inc/captiveportal.inc b/etc/inc/captiveportal.inc index 5ed4b3f..d0984dd 100644 --- a/etc/inc/captiveportal.inc +++ b/etc/inc/captiveportal.inc @@ -500,17 +500,15 @@ function captiveportal_init_rules($reinit = false) { if (!empty($tmpif)) { $cpipm = get_interface_ip($cpifgrp); if (is_ipaddr($cpipm)) { - $carpif = link_ip_to_carp_interface($cpipm); - if (!empty($carpif)) { - $carpsif = explode(" ", $carpif); - foreach ($carpsif as $cpcarp) { - mwexec("/sbin/ipfw zone {$cpzoneid} madd {$cpcarp}", true); - $carpip = find_interface_ip($cpcarp); - if (is_ipaddr($carpip)) - $cpips[] = $carpip; + $cpips[] = $cpipm; + if (!is_array($config['virtualip']) || !is_array($config['virtualip']['vip'])) { + continue; + } + foreach ($config['virtualip']['vip'] as $vip) { + if (($vip['interface'] == $cpifgrp) && (($vip['mode'] == "carp") || ($vip['mode'] == "ipalias"))) { + $cpips[] = $vip['subnet']; } } - $cpips[] = $cpipm; } mwexec("/sbin/ipfw zone {$cpzoneid} madd {$tmpif}", true); } @@ -1336,16 +1334,53 @@ function radius($username,$password,$clientip,$clientmac,$type, $radiusctx = nul function captiveportal_opendb() { global $g, $cpzone; - $DB = new SQLite3("{$g['vardb_path']}/captiveportal{$cpzone}.db"); - if (! $DB->exec("CREATE TABLE IF NOT EXISTS captiveportal (" . + $db_path = "{$g['vardb_path']}/captiveportal{$cpzone}.db"; + $createquery = "CREATE TABLE IF NOT EXISTS captiveportal (" . "allow_time INTEGER, pipeno INTEGER, ip TEXT, mac TEXT, username TEXT, " . "sessionid TEXT, bpassword TEXT, session_timeout INTEGER, idle_timeout INTEGER, " . "session_terminate_time INTEGER, interim_interval INTEGER, radiusctx TEXT); " . "CREATE UNIQUE INDEX IF NOT EXISTS idx_active ON captiveportal (sessionid, username); " . "CREATE INDEX IF NOT EXISTS user ON captiveportal (username); " . "CREATE INDEX IF NOT EXISTS ip ON captiveportal (ip); " . - "CREATE INDEX IF NOT EXISTS starttime ON captiveportal (allow_time)")) - captiveportal_syslog("Error during table {$cpzone} creation. Error message: {$DB->lastErrorMsg()}"); + "CREATE INDEX IF NOT EXISTS starttime ON captiveportal (allow_time)"; + + try { + $DB = new SQLite3($db_path); + } catch (Exception $e) { + captiveportal_syslog("Could not open {$db_path} as an sqlite database for {$cpzone}. Error message: " . $e->getMessage() . " -- Trying again."); + unlink_if_exists($db_path); + try { + $DB = new SQLite3($db_path); + } catch (Exception $e) { + captiveportal_syslog("Still could not open {$db_path} as an sqlite database for {$cpzone}. Error message: " . $e->getMessage() . " -- Remove the database file manually and ensure there is enough free space."); + return; + } + } + + if (!$DB) { + captiveportal_syslog("Could not open {$db_path} as an sqlite database for {$cpzone}. Error message: {$DB->lastErrorMsg()}. Trying again."); + unlink_if_exists($db_path); + $DB = new SQLite3($db_path); + if (!$DB) { + captiveportal_syslog("Still could not open {$db_path} as an sqlite database for {$cpzone}. Error message: {$DB->lastErrorMsg()}. Remove the database file manually and ensure there is enough free space."); + return; + } + } + + if (! $DB->exec($createquery)) { + captiveportal_syslog("Error during table {$cpzone} creation. Error message: {$DB->lastErrorMsg()}. Resetting and trying again."); + + /* If unable to initialize the database, reset and try again. */ + $DB->close(); + unset($DB); + unlink_if_exists($db_path); + $DB = new SQLite3($db_path); + if ($DB->exec($createquery)) { + captiveportal_syslog("Successfully reinitialized tables for {$cpzone} -- database has been reset."); + } else { + captiveportal_syslog("Still unable to create tables for {$cpzone}. Error message: {$DB->lastErrorMsg()}. Remove the database file manually and try again."); + } + } return $DB; } diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc index 2a2998c..9b9dd0c 100644 --- a/etc/inc/filter.inc +++ b/etc/inc/filter.inc @@ -584,7 +584,7 @@ function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddr if(is_alias($address)) { if (alias_get_type($address) == 'urltable') { // Feature#1603. For this type of alias we do not need to recursively call filter_generate_nested_alias. Just load IPs from the file. - $urltable_netsting = alias_expand_urltable($address); + $urltable_nesting = alias_expand_urltable($address); if (!empty($urltable_nesting)) { $urlfile_as_arr = file($urltable_nesting); foreach($urlfile_as_arr as $line) { @@ -601,7 +601,7 @@ function filter_generate_nested_alias($name, $alias, &$aliasnesting, &$aliasaddr else if(!isset($aliasnesting[$address])) $tmpline = filter_generate_nested_alias($name, $aliastable[$address], $aliasnesting, $aliasaddrnesting); } else if(!isset($aliasaddrnesting[$address])) { - if (!is_ipaddr($address) && !is_subnet($address) && !(($alias_type == 'port') && (is_port($address) || is_portrange($address))) && is_hostname($address)) { + if (!is_ipaddr($address) && !is_subnet($address) && !((($alias_type == 'port') || ($alias_type == 'url_ports')) && (is_port($address) || is_portrange($address))) && is_hostname($address)) { if (!isset($filterdns["{$address}{$name}"])) { $use_filterdns = true; $filterdns["{$address}{$name}"] = "pf {$address} {$name}\n"; @@ -697,10 +697,14 @@ function filter_generate_aliases() { $aliases .= "#Snort tables\n"; $aliases .= "table <snort2c>\n"; $aliases .= "table <virusprot>\n"; - if (!file_exists("/etc/bogons")) - @file_put_contents("/etc/bogons", ""); - if (!file_exists("/etc/bogonsv6")) - @file_put_contents("/etc/bogonsv6", ""); + if (!file_exists("/etc/bogons") || !file_exists("/etc/bogonsv6")) { + conf_mount_rw(); + if (!file_exists("/etc/bogons")) + @file_put_contents("/etc/bogons", ""); + if (!file_exists("/etc/bogonsv6")) + @file_put_contents("/etc/bogonsv6", ""); + conf_mount_ro(); + } $aliases .= "table <bogons> persist file \"/etc/bogons\"\n"; if (is_bogonsv6_used()) $aliases .= "table <bogonsv6> persist file \"/etc/bogonsv6\"\n"; @@ -2508,14 +2512,10 @@ function filter_generate_user_rule($rule) { $rg = get_interface_gateway_v6($rule['interface']); if (is_ipaddrv6($rg)) $aline['reply'] = "reply-to ( {$ifcfg['ifv6']} {$rg} ) "; - else if ($rule['interface'] <> "pptp") - log_error(sprintf(gettext("Could not find IPv6 gateway for interface (%s)."), $rule['interface'])); } else { $rg = get_interface_gateway($rule['interface']); if (is_ipaddrv4($rg)) $aline['reply'] = "reply-to ( {$ifcfg['if']} {$rg} ) "; - else if ($rule['interface'] <> "pptp") - log_error(sprintf(gettext("Could not find IPv4 gateway for interface (%s)."), $rule['interface'])); } } /* if user has selected a custom gateway, lets work with it */ @@ -2955,17 +2955,15 @@ EOD; $cpiflist[] = "{$tmpif}"; $cpipm = get_interface_ip($cpifgrp); if(is_ipaddr($cpipm)) { - $carpif = link_ip_to_carp_interface($cpipm); - if (!empty($carpif)) { - $cpiflist[] = $carpif; - $carpsif = explode(" ", $carpif); - foreach ($carpsif as $cpcarp) { - $carpip = find_interface_ip($cpcarp); - if (is_ipaddr($carpip)) - $cpiplist[] = $carpip; + $cpiplist[] = $cpipm; + if (!is_array($config['virtualip']) || !is_array($config['virtualip']['vip'])) { + continue; + } + foreach ($config['virtualip']['vip'] as $vip) { + if (($vip['interface'] == $cpifgrp) && (($vip['mode'] == "carp") || ($vip['mode'] == "ipalias"))) { + $cpiplist[] = $vip['subnet']; } } - $cpiplist[] = $cpipm; } } } @@ -3126,12 +3124,15 @@ EOD; $tracker = $saved_tracker; switch($oc['type6']) { case "6rd": - $ipfrules .= <<<EOD + if (is_ipaddrv4($config['interfaces'][$on]['gateway-6rd'])) { + $ipfrules .= <<<EOD # allow our proto 41 traffic from the 6RD border relay in pass in {$log['pass']} on \${$oc['descr']} proto 41 from {$config['interfaces'][$on]['gateway-6rd']} to any tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic in for 6rd on {$oc['descr']}")}" pass out {$log['pass']} on \${$oc['descr']} proto 41 from any to {$config['interfaces'][$on]['gateway-6rd']} tracker {$increment_tracker($tracker)} label "{$fix_rule_label("Allow 6in4 traffic out for 6rd on {$oc['descr']}")}" EOD; + } + /* XXX: Really need to allow 6rd traffic coming in for v6 this is against default behaviour! */ if (0 && is_ipaddrv6($oc['ipv6'])) { $ipfrules .= <<<EOD diff --git a/etc/inc/functions.inc b/etc/inc/functions.inc index a89aeff..b7b7001 100644 --- a/etc/inc/functions.inc +++ b/etc/inc/functions.inc @@ -97,7 +97,7 @@ if(!function_exists("get_menu_messages")) { foreach ($notices as $key => $value) { $date = date("m-d-y H:i:s", $key); $noticemsg = ($value['notice'] != "" ? $value['notice'] : $value['id']); - $noticemsg = preg_replace("/(\"|\'|\n|<.?\w+>)/i","",$noticemsg); + $noticemsg = strip_tags(preg_replace("/(\"|\'|\n|<.?\w+>)/i","",$noticemsg)); if ((strlen($noticemsg)* 8) > $domtt_width) $domtt_width=(strlen($noticemsg) *8); if ((strlen($noticemsg)* 8) > 900) diff --git a/etc/inc/globals.inc b/etc/inc/globals.inc index 7a8a09a..55c98eb 100644 --- a/etc/inc/globals.inc +++ b/etc/inc/globals.inc @@ -74,12 +74,11 @@ $g = array( "disablecrashreporter" => false, "crashreporterurl" => "https://crashreporter.pfsense.org/crash_reporter.php", "debug" => false, - "latest_config" => "11.8", + "latest_config" => "11.9", "nopkg_platforms" => array("cdrom"), "minimum_ram_warning" => "101", "minimum_ram_warning_text" => "128 MB", "wan_interface_name" => "wan", - "nopccard_platforms" => array("wrap", "net48xx"), "xmlrpcbaseurl" => "https://packages.pfsense.org", "captiveportal_path" => "/usr/local/captiveportal", "captiveportal_element_path" => "/var/db/cpelements", diff --git a/etc/inc/interfaces.inc b/etc/inc/interfaces.inc index 2e5438c..b425434 100644 --- a/etc/inc/interfaces.inc +++ b/etc/inc/interfaces.inc @@ -4863,7 +4863,7 @@ function get_interface_ipv6($interface = "wan", $flush = false) { case 'pptp': case 'ppp': if ($config['interfaces'][$interface]['ipaddrv6'] == 'dhcp6') - $realif = get_real_interface($interface, "inet6", true); + $realif = get_real_interface($interface, "inet6", false); break; } } diff --git a/etc/inc/ipsec.inc b/etc/inc/ipsec.inc index d3a6fe8..6654166 100644 --- a/etc/inc/ipsec.inc +++ b/etc/inc/ipsec.inc @@ -54,6 +54,7 @@ $my_identifier_list = array( global $peer_identifier_list; $peer_identifier_list = array( + 'any' => array('desc' => gettext('Any'), 'mobile' => true), 'peeraddress' => array('desc' => gettext('Peer IP address'), 'mobile' => false), 'address' => array('desc' => gettext('IP address'), 'mobile' => false), 'fqdn' => array('desc' => gettext('Distinguished name'), 'mobile' => true), diff --git a/etc/inc/notices.inc b/etc/inc/notices.inc index 91d3800..7dc2834 100644 --- a/etc/inc/notices.inc +++ b/etc/inc/notices.inc @@ -80,6 +80,9 @@ function file_notice($id, $notice, $category = "General", $url = "", $priority = 'category' => $category, 'priority' => $priority, ); + while (isset($queue[$queuekey])) { + $queuekey++; + } $queue[$queuekey] = $toqueue; $queueout = fopen($notice_path, "w"); if(!$queueout) { diff --git a/etc/inc/openvpn.auth-user.php b/etc/inc/openvpn.auth-user.php index 3a077b7..b753f71 100644 --- a/etc/inc/openvpn.auth-user.php +++ b/etc/inc/openvpn.auth-user.php @@ -181,17 +181,15 @@ if (is_array($attributes['routes'])) { } if (isset($attributes['framed_ip'])) { -/* XXX: only use when TAP windows driver >= 8.2.x */ -/* if (isset($attributes['framed_mask'])) { - $content .= "topology subnet\n"; - $content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}"; - } else { -*/ - $content .= "topology net30\n"; - $content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) + 1)); -// } + if (isset($attributes['framed_mask'])) { + $content .= "topology subnet\n"; + $content .= "ifconfig-push {$attributes['framed_ip']} {$attributes['framed_mask']}"; + } else { + $content .= "topology net30\n"; + $content .= "ifconfig-push {$attributes['framed_ip']} ". long2ip((ip2long($attributes['framed_ip']) - 1)); + } } - + if (!empty($content)) @file_put_contents("{$g['tmp_path']}/{$username}", $content); diff --git a/etc/inc/pfsense-utils.inc b/etc/inc/pfsense-utils.inc index 19edcf2..e363b39 100644 --- a/etc/inc/pfsense-utils.inc +++ b/etc/inc/pfsense-utils.inc @@ -126,19 +126,24 @@ function get_tmp_file() { /****f* pfsense-utils/get_dns_servers * NAME - * get_dns_servres - get system dns servers + * get_dns_servers - get system dns servers * INPUTS - * $dns_servers - an array of the dns servers + * none * RESULT - * null + * $dns_servers - an array of the dns servers ******/ function get_dns_servers() { $dns_servers = array(); - $dns_s = file("/etc/resolv.conf", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); - foreach($dns_s as $dns) { - $matches = ""; - if (preg_match("/nameserver (.*)/", $dns, $matches)) - $dns_servers[] = $matches[1]; + if (file_exists("/etc/resolv.conf")) { + $dns_s = file("/etc/resolv.conf", FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); + } + if (is_array($dns_s)) { + foreach ($dns_s as $dns) { + $matches = ""; + if (preg_match("/nameserver (.*)/", $dns, $matches)) { + $dns_servers[] = $matches[1]; + } + } } return array_unique($dns_servers); } @@ -2121,8 +2126,8 @@ function version_compare_string($a, $b) { return 0; } function version_compare_numeric($a, $b) { - $a_arr = explode('.', rtrim($a, '.0')); - $b_arr = explode('.', rtrim($b, '.0')); + $a_arr = explode('.', rtrim($a, '.')); + $b_arr = explode('.', rtrim($b, '.')); foreach ($a_arr as $n => $val) { if (array_key_exists($n, $b_arr)) { @@ -2190,7 +2195,7 @@ function process_alias_urltable($name, $url, $freq, $forceupdate=false) { if (download_file($url, $urltable_filename . ".tmp", $verify_ssl)) { mwexec("/usr/bin/sed -E 's/\;.*//g; /^[[:space:]]*($|#)/d' ". escapeshellarg($urltable_filename . ".tmp") . " > " . escapeshellarg($urltable_filename)); if (alias_get_type($name) == "urltable_ports") { - $ports = explode("\n", file_get_contents($urltable_filename)); + $ports = explode("\n", str_replace("\r", "", file_get_contents($urltable_filename))); $ports = group_ports($ports); file_put_contents($urltable_filename, implode("\n", $ports)); } diff --git a/etc/inc/pkg-utils.inc b/etc/inc/pkg-utils.inc index 964f2f4..195de9f 100644 --- a/etc/inc/pkg-utils.inc +++ b/etc/inc/pkg-utils.inc @@ -209,6 +209,66 @@ function get_pkg_sizes($pkgs = 'all') { return array(); } +/****f* pkg-utils/compare_pkg_versions + * NAME + * compare_pkg_versions - Decide if the installed package is newer, the same or older than the available package. + * INPUTS + * $installed_pkg_ver - the package version installed on the system. + * $available_pkg_ver - the package version available from the package server. + * RESULT + * -1 - the installed package is older (an upgrade is available) + * 0 - the package versions are the same + * 1 - the installed package is newer (somebody has installed a newer version than is officially available) + ******/ +function compare_pkg_versions($installed_pkg_ver, $available_pkg_ver) { + // If the strings are the same then short-cut all the processing. + if (strcmp($installed_pkg_ver, $available_pkg_ver) == 0) { + return 0; + } + + // Split into pieces that are groups of digits and groups of non-digits. + $installed_arr = preg_split( '/([0-9]+)/', $installed_pkg_ver, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY); + $available_arr = preg_split( '/([0-9]+)/', $available_pkg_ver, -1, PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY); + foreach ($installed_arr as $n => $val) { + if (array_key_exists($n, $available_arr)) { + // Check if this piece looks like a genuine integer like "123", "0" rather than "05", "005", "1a", "abc". + // Note: At this point the pieces cannot be like "-1", "+1" so we do not need to worry about those possibilities that filter_var() will see as "genuine integers". + $val1_as_int = filter_var($val, FILTER_VALIDATE_INT); + $val2_as_int = filter_var($available_arr[$n], FILTER_VALIDATE_INT); + if (($val1_as_int === false) || ($val2_as_int === false)) { + // One of them does not look like a genuine integer so use string comparison. + if (strcasecmp($val, $available_arr[$n]) > 0) { + return 1; + } elseif (strcasecmp($val, $available_arr[$n]) < 0) { + return -1; + } + } else { + // Both look like genuine integers so compare as numbers. + if ($val1_as_int > $val2_as_int) { + return 1; + } elseif ($val1_as_int < $val2_as_int) { + return -1; + } + } + } else { + // The installed package version is greater, since all components have matched up to this point + // and available_arr doesn't have any more data. + return 1; + } + } + + if (count($available_arr) > count($installed_arr)) { + // All the installed package components matched the corresponding available package components. + // The available package is longer than the installed package, so the installed package is old. + return -1; + } else { + // Both versions are of equal length and value. + return 0; + } + + return $resp ? $resp : array(); +} + /* * resync_all_package_configs() Force packages to setup their configuration and rc.d files. * This function may also print output to the terminal indicating progress. diff --git a/etc/inc/priv.inc b/etc/inc/priv.inc index c6b244f..e6fa96f 100644 --- a/etc/inc/priv.inc +++ b/etc/inc/priv.inc @@ -240,7 +240,7 @@ function getPrivPages(& $entry, & $allowed_pages) { } } -function getAllowedPages($username) { +function getAllowedPages($username, &$attributes = array()) { global $config, $_SESSION; if (!function_exists("ldap_connect")) @@ -251,8 +251,11 @@ function getAllowedPages($username) { $authcfg = auth_get_authserver($config['system']['webgui']['authmode']); // obtain ldap groups if we are in ldap mode - if ($authcfg['type'] == "ldap") + if ($authcfg['type'] == "ldap") { $allowed_groups = @ldap_get_groups($username, $authcfg); + } elseif ($authcfg['type'] == "radius") { + $allowed_groups = @radius_get_groups($attributes); + } if (!$allowed_groups) { // search for a local user by name diff --git a/etc/inc/radius.inc b/etc/inc/radius.inc index bb8bf6c..2b4d472 100644 --- a/etc/inc/radius.inc +++ b/etc/inc/radius.inc @@ -484,7 +484,7 @@ class Auth_RADIUS extends PEAR { break; case RADIUS_CLASS: - $this->attributes['class'] = radius_cvt_int($data); + $this->attributes['class'] = radius_cvt_string($data); break; case RADIUS_FRAMED_PROTOCOL: diff --git a/etc/inc/service-utils.inc b/etc/inc/service-utils.inc index 098ccf6..cec63bf 100644 --- a/etc/inc/service-utils.inc +++ b/etc/inc/service-utils.inc @@ -329,13 +329,6 @@ function get_services() { $services[] = $pconfig; } - if (isset($config['installedpackages']['routed']) && $config['installedpackages']['routed']['config'][0]['enable']) { - $pconfig = array(); - $pconfig['name'] = "routed"; - $pconfig['description'] = gettext("RIP Daemon"); - $services[] = $pconfig; - } - if (isset($config['ipsec']['enable'])) { $pconfig = array(); $pconfig['name'] = "ipsec"; diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 73c2411..4b6c4e2 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -844,6 +844,8 @@ EOD; $dhcpdconf .= " filename \"{$dhcpifconf['filename32']}\";\n"; $dhcpdconf .= " } else if option arch = 00:07 {\n"; $dhcpdconf .= " filename \"{$dhcpifconf['filename64']}\";\n"; + $dhcpdconf .= " } else if option arch = 00:09 {\n"; + $dhcpdconf .= " filename \"{$dhcpifconf['filename64']}\";\n"; $dhcpdconf .= " } else {\n"; $dhcpdconf .= " filename \"{$dhcpifconf['filename']}\";\n"; $dhcpdconf .= " }\n\n"; @@ -1489,73 +1491,6 @@ function services_dhcrelay_configure() { $dhcrelayifs[] = get_real_interface($dhcrelayif); } - /* - * In order for the relay to work, it needs to be active - * on the interface in which the destination server sits. - */ - $srvips = explode(",", $dhcrelaycfg['server']); - foreach ($srvips as $srcidx => $srvip) { - unset($destif); - foreach ($iflist as $ifname) { - $subnet = get_interface_ip($ifname); - if (!is_ipaddr($subnet)) - continue; - $subnet .= "/" . get_interface_subnet($ifname); - if (ip_in_subnet($srvip, $subnet)) { - $destif = get_real_interface($ifname); - break; - } - } - if (!isset($destif)) { - foreach (get_staticroutes() as $rtent) { - if (ip_in_subnet($srvip, $rtent['network'])) { - $a_gateways = return_gateways_array(true); - $destif = $a_gateways[$rtent['gateway']]['interface']; - break; - } - } - } - - if (!isset($destif)) { - /* Create a array from the existing route table */ - exec("/usr/bin/netstat -rnWf inet", $route_str); - array_shift($route_str); - array_shift($route_str); - array_shift($route_str); - array_shift($route_str); - $route_arr = array(); - foreach($route_str as $routeline) { - $items = preg_split("/[ ]+/i", $routeline); - if (is_subnetv4($items[0])) { - $subnet = $items[0]; - } elseif (is_ipaddrv4($items[0])) { - $subnet = "{$items[0]}/32"; - } else { - // Not a subnet or IP address, skip to the next line. - continue; - } - if (ip_in_subnet($srvip, $subnet)) { - $destif = trim($items[6]); - break; - } - } - } - - if (!isset($destif)) { - if (is_array($config['gateways']['gateway_item'])) { - foreach ($config['gateways']['gateway_item'] as $gateway) { - if (isset($gateway['defaultgw'])) { - $destif = get_real_interface($gateway['interface']); - break; - } - } - } else - $destif = get_real_interface("wan"); - } - - if (!empty($destif)) - $dhcrelayifs[] = $destif; - } $dhcrelayifs = array_unique($dhcrelayifs); /* fire up dhcrelay */ @@ -1569,6 +1504,11 @@ function services_dhcrelay_configure() { if (isset($dhcrelaycfg['agentoption'])) $cmd .= " -a -m replace"; + $srvips = explode(",", $dhcrelaycfg['server']); + if (!is_array($srvips)) { + log_error("No DHCP relay destination IP has been configured!"); + return; + } $cmd .= " " . implode(" ", $srvips); mwexec($cmd); unset($cmd); @@ -1611,76 +1551,12 @@ function services_dhcrelay6_configure() { $dhcrelayifs[] = get_real_interface($dhcrelayif); } $dhcrelayifs = array_unique($dhcrelayifs); - - /* - * In order for the relay to work, it needs to be active - * on the interface in which the destination server sits. - */ $srvips = explode(",", $dhcrelaycfg['server']); if (!is_array($srvips)) { - log_error("No destination ip has been configured!"); + log_error("No destination IP has been configured!"); return; } - $srvifaces = array(); - foreach ($srvips as $srcidx => $srvip) { - unset($destif); - foreach ($iflist as $ifname) { - $subnet = get_interface_ipv6($ifname); - if (!is_ipaddrv6($subnet)) - continue; - $subnet .= "/" . get_interface_subnetv6($ifname); - if (ip_in_subnet($srvip, $subnet)) { - $destif = get_real_interface($ifname); - break; - } - } - if (!isset($destif)) { - if (is_array($config['staticroutes']['route'])) { - foreach ($config['staticroutes']['route'] as $rtent) { - if (ip_in_subnet($srvip, $rtent['network'])) { - $a_gateways = return_gateways_array(true); - $destif = $a_gateways[$rtent['gateway']]['interface']; - break; - } - } - } - } - - if (!isset($destif)) { - /* Create a array from the existing route table */ - exec("/usr/bin/netstat -rnWf inet6", $route_str); - array_shift($route_str); - array_shift($route_str); - array_shift($route_str); - array_shift($route_str); - $route_arr = array(); - foreach($route_str as $routeline) { - $items = preg_split("/[ ]+/i", $routeline); - if (ip_in_subnet($srvip, $items[0])) { - $destif = trim($items[6]); - break; - } - } - } - - if (!isset($destif)) { - if (is_array($config['gateways']['gateway_item'])) { - foreach ($config['gateways']['gateway_item'] as $gateway) { - if (isset($gateway['defaultgw'])) { - $destif = get_real_interface($gateway['interface']); - break; - } - } - } else - $destif = get_real_interface("wan"); - } - - if (!empty($destif)) { - $srvifaces[] = "{$srvip}%{$destif}"; - } - } - /* fire up dhcrelay */ if (empty($dhcrelayifs) || empty($srvifaces) ) { log_error("No suitable interface found for running dhcrelay -6!"); @@ -2408,8 +2284,13 @@ function configure_cron() { file_put_contents("/etc/crontab", $crontab_contents); unset($crontab_contents); + /* make sure that cron is running and start it if it got killed somehow */ + if (!is_process_running("cron")) { + exec("cd /tmp && /usr/sbin/cron -s 2>/dev/null"); + } else { /* do a HUP kill to force sync changes */ - sigkillbypid("{$g['varrun_path']}/cron.pid", "HUP"); + sigkillbypid("{$g['varrun_path']}/cron.pid", "HUP"); + } conf_mount_ro(); } diff --git a/etc/inc/shaper.inc b/etc/inc/shaper.inc index 3ea7eb9..2b4e3dd 100644 --- a/etc/inc/shaper.inc +++ b/etc/inc/shaper.inc @@ -1233,7 +1233,7 @@ class priq_queue { $form .= "</span></td></tr><tr>"; $form .= "<td width=\"22%\" class=\"vncellreq\">" . gettext("Description") . "</td>"; $form .= "<td width=\"78%\" class=\"vtable\">"; - $form .= "<input type=\"text\" name=\"description\" size=\"40\" class=\"formfld unknown\" value=\"" . $this->GetDescription() . "\" />"; + $form .= "<input type=\"text\" name=\"description\" size=\"40\" class=\"formfld unknown\" value=\"" . htmlspecialchars($this->GetDescription()) . "\" />"; $form .= "</td></tr>"; $form .= "<input type=\"hidden\" name=\"interface\" id=\"interface\""; $form .= " value=\"".$this->GetInterface()."\" />"; @@ -3414,7 +3414,7 @@ EOD; $form .= "<tr><td valign=\"middle\" class=\"vncellreq\">" . gettext("Description") . "</td>"; $form .= "<td class=\"vncellreq\">"; $form .= "<input type=\"text\" class=\"formfld unknown\" size=\"40\" id=\"description\" name=\"description\" value=\""; - $form .= $this->GetDescription(); + $form .= htmlspecialchars($this->GetDescription()); $form .= "\" />"; $form .= "<br /> <span class=\"vexpl\">"; $form .= gettext("You may enter a description here for your reference (not parsed).") . "</span>"; @@ -3695,7 +3695,7 @@ class dnqueue_class extends dummynet_class { $form .= "<tr><td valign=\"middle\" class=\"vncellreq\">" . gettext("Description") . "</td>"; $form .= "<td class=\"vncellreq\">"; $form .= "<input type=\"text\" id=\"description\" class=\"formfld unknown\" size=\"40\" name=\"description\" value=\""; - $form .= $this->GetDescription(); + $form .= htmlspecialchars($this->GetDescription()); $form .= "\" />"; $form .= "<br /> <span class=\"vexpl\">"; $form .= gettext("You may enter a description here for your reference (not parsed).") . "</span>"; @@ -3893,7 +3893,7 @@ class layer7 { $form .= "<tr><td valign=\"middle\" class=\"vncellreq\">" . gettext("Description") . "</td>"; $form .= "<td class=\"vncellreq\">"; $form .= "<input type=\"text\" class=\"formfld unknown\" size=\"40\" id=\"description\" name=\"description\" value=\""; - $form .= $this->GetRDescription(); + $form .= htmlspecialchars($this->GetRDescription()); $form .= "\" />"; $form .= "<br /> <span class=\"vexpl\">"; $form .= gettext("You may enter a description here for your reference (not parsed).") . "</span>"; diff --git a/etc/inc/upgrade_config.inc b/etc/inc/upgrade_config.inc index f622b1f..d3186b5 100644 --- a/etc/inc/upgrade_config.inc +++ b/etc/inc/upgrade_config.inc @@ -252,10 +252,12 @@ function upgrade_013_to_014() { function upgrade_014_to_015() { global $config; /* Default route moved */ - if (isset($config['interfaces']['wan']['gateway'])) - if ($config['interfaces']['wan']['gateway'] <> "") + if (isset($config['interfaces']['wan']['gateway'])) { + if ($config['interfaces']['wan']['gateway'] <> "") { $config['system']['gateway'] = $config['interfaces']['wan']['gateway']; - unset($config['interfaces']['wan']['gateway']); + } + unset($config['interfaces']['wan']['gateway']); + } /* Queues are no longer interface specific */ if (isset($config['interfaces']['lan']['schedulertype'])) @@ -278,9 +280,12 @@ function upgrade_015_to_016() { $config['system']['alt_firmware_url']['enabled'] = ""; $config['system']['alt_firmware_url']['firmware_base_url'] = $config['system']['firmwareurl']; $config['system']['alt_firmware_url']['firmware_filename'] = $config['system']['firmwarename']; - unset($config['system']['firmwareurl'], $config['system']['firmwarename']); - } else { - unset($config['system']['firmwareurl'], $config['system']['firmwarename']); + } + if (isset($config['system']['firmwareurl'])) { + unset($config['system']['firmwareurl']); + } + if (isset($config['system']['firmwarename'])) { + unset($config['system']['firmwarename']); } } @@ -288,12 +293,24 @@ function upgrade_015_to_016() { function upgrade_016_to_017() { global $config; /* wipe previous shaper configuration */ - unset($config['shaper']['queue']); - unset($config['shaper']['rule']); - unset($config['interfaces']['wan']['bandwidth']); - unset($config['interfaces']['wan']['bandwidthtype']); - unset($config['interfaces']['lan']['bandwidth']); - unset($config['interfaces']['lan']['bandwidthtype']); + if (isset($config['shaper']['queue'])) { + unset($config['shaper']['queue']); + } + if (isset($config['shaper']['rule'])) { + unset($config['shaper']['rule']); + } + if (isset($config['interfaces']['wan']['bandwidth'])) { + unset($config['interfaces']['wan']['bandwidth']); + } + if (isset($config['interfaces']['wan']['bandwidthtype'])) { + unset($config['interfaces']['wan']['bandwidthtype']); + } + if (isset($config['interfaces']['lan']['bandwidth'])) { + unset($config['interfaces']['lan']['bandwidth']); + } + if (isset($config['interfaces']['lan']['bandwidthtype'])) { + unset($config['interfaces']['lan']['bandwidthtype']); + } $config['shaper']['enable'] = FALSE; } @@ -343,7 +360,9 @@ function upgrade_017_to_018() { unset($config['installedpackages']['carp']); } /* Server NAT is no longer needed */ - unset($config['nat']['servernat']); + if (isset($config['nat']['servernat'])) { + unset($config['nat']['servernat']); + } /* enable SSH */ if ($config['version'] == "1.8") { @@ -354,7 +373,7 @@ function upgrade_017_to_018() { function upgrade_018_to_019() { global $config; - $config['theme']="metallic"; + $config['theme'] = "metallic"; } @@ -405,7 +424,9 @@ function upgrade_023_to_024() { function upgrade_024_to_025() { global $config; $config['interfaces']['wan']['use_rrd_gateway'] = $config['system']['use_rrd_gateway']; - unset($config['system']['use_rrd_gateway']); + if (isset($config['system']['use_rrd_gateway'])) { + unset($config['system']['use_rrd_gateway']); + } } @@ -580,7 +601,7 @@ function upgrade_039_to_040() { $config['system']['webgui']['auth_method'] = "session"; $config['system']['webgui']['backing_method'] = "htpasswd"; - if (isset ($config['system']['username'])) { + if (isset($config['system']['username'])) { $config['system']['group'] = array(); $config['system']['group'][0]['name'] = "admins"; $config['system']['group'][0]['description'] = gettext("System Administrators"); @@ -620,8 +641,10 @@ function upgrade_039_to_040() { $config['system']['nextgid'] = "111"; /* wipe previous auth configuration */ - unset ($config['system']['username']); - unset ($config['system']['password']); + unset($config['system']['username']); + if (isset($config['system']['password'])) { + unset($config['system']['password']); + } } } @@ -1455,7 +1478,9 @@ function upgrade_050_to_051() { $pconfig['value'] = "0"; $config['sysctl']['item'][] = $pconfig; - unset($config['bridge']); + if (isset($config['bridge'])) { + unset($config['bridge']); + } $convert_bridges = false; foreach($config['interfaces'] as $intf) { @@ -1959,7 +1984,9 @@ function upgrade_053_to_054() { if(empty($config['load_balancer'])) { unset($config['load_balancer']); } else { - unset($config['load_balancer']['lbpool']); + if (isset($config['load_balancer']['lbpool'])) { + unset($config['load_balancer']['lbpool']); + } } } else { $config['load_balancer']['lbpool'] = $lbpool_srv_arr; @@ -2848,10 +2875,10 @@ function upgrade_083_to_084() { $config['hasync'] = $config['installedpackages']['carpsettings']['config'][0]; unset($config['installedpackages']['carpsettings']); } - if (empty($config['installedpackages']['carpsettings'])) { + if (empty($config['installedpackages']['carpsettings']) && isset($config['installedpackages']['carpsettings'])) { unset($config['installedpackages']['carpsettings']); } - if (empty($config['installedpackages'])) { + if (empty($config['installedpackages']) && isset($config['installedpackages'])) { unset($config['installedpackages']); } } @@ -3237,8 +3264,12 @@ function upgrade_102_to_103() { $config['nat']['outbound'] = $config['nat']['advancedoutbound']; - unset($config['nat']['ipsecpassthru']); - unset($config['nat']['advancedoutbound']); + if (isset($config['nat']['ipsecpassthru'])) { + unset($config['nat']['ipsecpassthru']); + } + if (isset($config['nat']['advancedoutbound'])) { + unset($config['nat']['advancedoutbound']); + } } function upgrade_103_to_104() { @@ -3508,17 +3539,21 @@ function upgrade_111_to_112() { function upgrade_112_to_113() { global $config; - if (isset($config['notifications']['smtp']['ssl']) && - $config['notifications']['smtp']['ssl'] == "checked") - $config['notifications']['smtp']['ssl'] = true; - else - unset($config['notifications']['smtp']['ssl']); + if (isset($config['notifications']['smtp']['ssl'])) { + if ($config['notifications']['smtp']['ssl'] == "checked") { + $config['notifications']['smtp']['ssl'] = true; + } else { + unset($config['notifications']['smtp']['ssl']); + } + } - if (isset($config['notifications']['smtp']['tls']) && - $config['notifications']['smtp']['tls'] == "checked") - $config['notifications']['smtp']['tls'] = true; - else - unset($config['notifications']['smtp']['tls']); + if (isset($config['notifications']['smtp']['tls'])) { + if ($config['notifications']['smtp']['tls'] == "checked") { + $config['notifications']['smtp']['tls'] = true; + } else { + unset($config['notifications']['smtp']['tls']); + } + } } function upgrade_113_to_114() { @@ -3601,4 +3636,21 @@ function upgrade_117_to_118() { } } +function upgrade_118_to_119() { + global $config; + + if (!isset($config['ipsec']['phase1'])) { + return; + } + + // change peerid_type to 'any' for EAP types to retain previous behavior of omitting rightid + $a_phase1 =& $config['ipsec']['phase1']; + + foreach ($a_phase1 as &$ph1_entry) { + if (strstr($ph1_entry['authentication_method'], 'eap')) { + $ph1_entry['peerid_type'] = "any"; + } + } +} + ?> diff --git a/etc/inc/voucher.inc b/etc/inc/voucher.inc index b7de186..863cc17 100644 --- a/etc/inc/voucher.inc +++ b/etc/inc/voucher.inc @@ -371,8 +371,12 @@ function voucher_auth($voucher_received, $test = 0) { // Roll# and Ticket# using the external readvoucher binary foreach ($a_vouchers_received as $voucher) { $v = escapeshellarg($voucher); - if (strlen($voucher) < 3) + if (strlen($voucher) < 3) { + $test_result[] = "{$voucher} invalid: Too short!"; + captiveportal_syslog("{$voucher} invalid: Too short!"); + $error++; continue; // seems too short to be a voucher! + } $result = exec("/usr/local/bin/voucher -c {$g['varetc_path']}/voucher_{$cpzone}.cfg -k {$g['varetc_path']}/voucher_{$cpzone}.public -- $v"); list($status, $roll, $nr) = explode(" ", $result); @@ -553,6 +557,9 @@ function voucher_configure_zone($sync = false) { foreach ($config['voucher'][$cpzone]['roll'] as $rollent) { $roll = $rollent['number']; + $len = ($rollent['count'] >> 3) + 1; + if (strlen(base64_decode($rollent['used'])) != $len) + $rollent['used'] = base64_encode(str_repeat("\000", $len)); voucher_write_used_db($roll, $rollent['used']); $minutes = $rollent['minutes']; $active_vouchers = array(); diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc index 6772f6d..21a249e 100644 --- a/etc/inc/vpn.inc +++ b/etc/inc/vpn.inc @@ -591,7 +591,7 @@ EOD; if (is_array($config['crl']) && count($config['crl'])) { foreach ($config['crl'] as $crl) { if (!isset($crl['text'])) { - log_error(sprintf(gettext("Error: Invalid CRL data for %s"), $crl['descr'])); + log_error(sprintf(gettext("Warning: Missing CRL data for %s"), $crl['descr'])); continue; } $fpath = "{$crlpath}/{$crl['refid']}.crl"; @@ -862,7 +862,9 @@ EOD; // Only specify peer ID if we are not dealing with mobile PSK } else { list ($peerid_type, $peerid_data) = ipsec_find_id($ph1ent, 'peer', $rgmap); - if ($peerid_type != 'address' && $peerid_type != 'keyid' && $peerid_type != 'asn1dn') { + if ($peerid_type == 'any') { + $peerid_spec = ''; + } elseif ($peerid_type != 'address' && $peerid_type != 'keyid' && $peerid_type != 'asn1dn') { $peerid_spec = "{$peerid_type}:{$peerid_data}"; } elseif ($peerid_type == "asn1dn") { /* asn1dn needs double quotes */ diff --git a/etc/phpshellsessions/enableallowallwan b/etc/phpshellsessions/enableallowallwan index 94c0b7b..5ce4f0f 100644 --- a/etc/phpshellsessions/enableallowallwan +++ b/etc/phpshellsessions/enableallowallwan @@ -24,6 +24,8 @@ $filterent["descr"] = "Allow all ipv6 via pfSsh.php"; $config["filter"]["rule"][] = $filterent; echo "Turning off block private networks (if on)...\n"; unset($config["interfaces"]["wan"]["blockpriv"]); +echo "Turning off block bogon networks (if on)...\n"; +unset($config["interfaces"]["wan"]["blockbogons"]); unlink_if_exists("/tmp/config.cache"); write_config("pfSsh.php added allow all wan rule"); unlink_if_exists("/tmp/config.cache"); diff --git a/etc/rc.filter_synchronize b/etc/rc.filter_synchronize index a17e50e..1ff1c61 100755 --- a/etc/rc.filter_synchronize +++ b/etc/rc.filter_synchronize @@ -123,12 +123,14 @@ function carp_check_version($url, $username, $password, $port = 80, $method = 'p } } else { if (!isset($parsed_response['config_version']) || - $parsed_response['config_version'] < $config['version']) { - update_filter_reload_status("The other member is on older configuration version of {$g['product_name']}. Sync will not be done to prevent problems!"); - log_error("The other member is on older configuration version of {$g['product_name']}. Sync will not be done to prevent problems!"); + ($parsed_response['config_version'] < $config['version']) || + ($parsed_response['config_version'] > $config['version'])) { + update_filter_reload_status("The other member is on a different configuration version of {$g['product_name']}. Sync will not be done to prevent problems!"); + log_error("The other member is on a different configuration version of {$g['product_name']}. Sync will not be done to prevent problems!"); return false; - } else + } else { return true; + } } } log_error($error); diff --git a/etc/rc.firmware_auto b/etc/rc.firmware_auto index be5da91..45153a3 100755 --- a/etc/rc.firmware_auto +++ b/etc/rc.firmware_auto @@ -1,5 +1,9 @@ #!/bin/sh +# /etc/rc.firmware_auto +# Copyright (C) 2005-2015 Electric Sheep Fencing LLC +# Part of pfSense + # $Id$ FMBASEURL=$1 @@ -20,69 +24,49 @@ if [ $# -gt 3 ]; then HTTP_AUTH="basic:*:$3:$4" fi -#echo "Downloading $FMFILENAME from $FMBASEURL ..." | logger -p daemon.info -i -t AutoUpgrade -#/usr/bin/fetch -o /tmp/latest.tgz $FETCHFILENAME | logger -p daemon.info -i -t AutoUpgrade -#echo "Downloading $FMFILENAME.md5 from $FMBASEURL ..." | logger -p daemon.info -i -t AutoUpgrade -#/usr/bin/fetch -o /tmp/latest.tgz.md5 $FETCHFILENAME.md5 | logger -p daemon.info -i -t AutoUpgrade +if [ $# -gt 1 ]; then + echo "Downloading $FMFILENAME from $FMBASEURL ..." | logger -p daemon.info -i -t AutoUpgrade + /usr/bin/fetch -o /tmp/latest.tgz $FETCHFILENAME | logger -p daemon.info -i -t AutoUpgrade + echo "Downloading $FMFILENAME.sha256 from $FMBASEURL ..." | logger -p daemon.info -i -t AutoUpgrade + /usr/bin/fetch -o /tmp/latest.tgz.sha256 $FETCHFILENAME.sha256 | logger -p daemon.info -i -t AutoUpgrade +fi -PMD=`/bin/cat /tmp/latest.tgz.md5 | cut -d" " -f4 ` -MD=`/sbin/md5 /tmp/latest.tgz | cut -d" " -f4` +DLHASH=`/bin/cat /tmp/latest.tgz.sha256 | cut -d" " -f4 ` +FILEHASH=`/sbin/sha256 /tmp/latest.tgz | cut -d" " -f4` PLATFORM=`cat /etc/platform` -echo " Package MD5: ${PMD}" | logger -p daemon.info -i -t AutoUpgrade -echo "Downloaded MD5: ${MD}" | logger -p daemon.info -i -t AutoUpgrade +echo " Package sha256: ${DLHASH}" | logger -p daemon.info -i -t AutoUpgrade +echo "Downloaded sha256: ${FILEHASH}" | logger -p daemon.info -i -t AutoUpgrade -if [ "$PMD" = "" ]; then - echo "Package MD5 is null md5. Require proxy auth?" | logger -p daemon.info -i -t AutoUpgrade - exit 1 +if [ "$DLHASH" = "" ]; then + echo "Downloaded sha256 is null. Require proxy auth?" | logger -p daemon.info -i -t AutoUpgrade + exit 1 fi -if [ "$MD" = "" ]; then - echo "Downloaded MD5 is null md5. Require proxy auth?" | logger -p daemon.info -i -t AutoUpgrade - exit 1 +if [ "$FILEHASH" = "" ]; then + echo "Downloaded file's sha256 is null." | logger -p daemon.info -i -t AutoUpgrade + exit 1 fi -if [ "$PMD" = "$MD" ]; then - echo "MD5's match." | logger -p daemon.info -i -t AutoUpgrade - echo "Beginning ${product} upgrade." | wall - if [ "$PLATFORM" = "net45xx" ]; then - /usr/local/bin/php /etc/rc.conf_mount_rw - fi - if [ "$PLATFORM" = "wrap" ]; then - /usr/local/bin/php /etc/rc.conf_mount_rw - fi - if [ "$PLATFORM" = "nanobsd" ]; then - /usr/local/bin/php /etc/rc.conf_mount_rw - fi - if [ -r "/tmp/custom.tgz" ]; then - sh /etc/rc.firmware pfSenseupgrade /tmp/latest.tgz /tmp/custom.tgz - else - if [ "$PLATFORM" = "nanobsd" ]; then - sh /etc/rc.firmware pfSenseNanoBSDupgrade /tmp/latest.tgz - else - sh /etc/rc.firmware pfSenseupgrade /tmp/latest.tgz - fi - fi - if [ "$PLATFORM" = "wrap" ]; then - /bin/sync - sleep 5 - /usr/local/bin/php /etc/rc.conf_mount_ro - if [ -e /etc/init_bootloader.sh ]; then - sh /etc/init_bootloader.sh - fi - fi - if [ "$PLATFORM" = "net45xx" ]; then - /bin/sync - sleep 5 - /usr/local/bin/php /etc/rc.conf_mount_ro - if [ -e /etc/init_bootloader.sh ]; then - sh /etc/init_bootloader.sh - fi - fi - exit 0 +if [ "$DLHASH" = "$FILEHASH" ]; then + echo "sha256 hashes match." | logger -p daemon.info -i -t AutoUpgrade + echo "Beginning ${product} upgrade." | wall + if [ "$PLATFORM" = "nanobsd" ]; then + /usr/local/bin/php /etc/rc.conf_mount_rw + fi + if [ -r "/tmp/custom.tgz" ]; then + sh /etc/rc.firmware pfSenseupgrade /tmp/latest.tgz /tmp/custom.tgz + else + if [ "$PLATFORM" = "nanobsd" ]; then + sh /etc/rc.firmware pfSenseNanoBSDupgrade /tmp/latest.tgz + else + sh /etc/rc.firmware pfSenseupgrade /tmp/latest.tgz + fi + fi + exit 0 fi -echo "MD5's do not match. Upgrade aborted." | logger -p daemon.info -i -t AutoUpgrade +echo "sha256 hashes do not match. Upgrade aborted." | logger -p daemon.info -i -t AutoUpgrade rm /tmp/latest* exit 1 @@ -124,6 +124,7 @@ $sshconf .= "Port $sshport\n"; /* Hide FreeBSD version */ $sshconf .= "VersionAddendum none\n"; + $sshconf .= "LoginGraceTime 30s\n"; /* Apply package SSHDCond settings if config file exists */ if (file_exists("/etc/sshd_extra")) { diff --git a/etc/version b/etc/version index e0a4ab6..6062b1f 100644 --- a/etc/version +++ b/etc/version @@ -1 +1 @@ -2.2.4-RELEASE +2.2.5-DEVELOPMENT diff --git a/usr/local/sbin/cleargmirror.sh b/usr/local/sbin/cleargmirror.sh new file mode 100755 index 0000000..a00cc93 --- /dev/null +++ b/usr/local/sbin/cleargmirror.sh @@ -0,0 +1,26 @@ +#!/bin/sh + +clear_disk() { + local _disk="${1}" + local _mirror=$(/sbin/gmirror dump ${_disk} 2>/dev/null | sed '/name: /!d; s,^.*: ,,') + + if [ -n "${_mirror}" ]; then + /sbin/gmirror destroy -f ${_mirror} >/dev/null 2>&1 + fi + /sbin/gmirror clear ${_disk} >/dev/null 2>&1 +} + +mirror="${1}" +disk1="${2}" +disk2="${3}" + +if [ -z "${mirror}" -o -z "${disk1}" -o -z "${disk2}" ]; then + echo "You must specify mirror name, and disks that should be cleared" + exit 1 +fi + +/sbin/gmirror destroy -f ${mirror} >/dev/null 2>&1 +clear_disk ${disk1} +clear_disk ${disk2} + +exit 0 diff --git a/usr/local/sbin/cleargpt.sh b/usr/local/sbin/cleargpt.sh new file mode 100755 index 0000000..07d530a --- /dev/null +++ b/usr/local/sbin/cleargpt.sh @@ -0,0 +1,13 @@ +#!/bin/sh +DISK=$1 +if [ "$DISK" = "" ]; then + echo "You must specify the disk that should be formatted/cleared." + exit 1 +fi +for PART in `/sbin/gpart show $DISK | grep -v '=>' | awk '{ print $3 }'`; do + if [ "$PART" != "" ]; then + /sbin/gpart delete -i $PART $DISK >/dev/null + fi +done +/sbin/gpart destroy $DISK >/dev/null +exit 0 diff --git a/usr/local/www/bandwidth_by_ip.php b/usr/local/www/bandwidth_by_ip.php index 74697e6..59cd367 100755 --- a/usr/local/www/bandwidth_by_ip.php +++ b/usr/local/www/bandwidth_by_ip.php @@ -55,16 +55,40 @@ else // get the desired format for displaying the host name or IP $hostipformat = $_GET['hostipformat']; $iplookup = array(); -// If hostname display is requested and the DNS forwarder does not already have DHCP static names registered, -// then load the DHCP static mappings into an array keyed by IP address. -if (($hostipformat != "") && ((!isset($config['dnsmasq']['enable']) || !isset($config['dnsmasq']['regdhcpstatic'])) - || (!isset($config['unbound']['enable']) || !isset($config['unbound']['regdhcpstatic'])))) { +// If hostname, description or FQDN is requested then load the locally-known IP address - host/description mappings into an array keyed by IP address. +if ($hostipformat != "") { if (is_array($config['dhcpd'])) { foreach ($config['dhcpd'] as $ifdata) { if (is_array($ifdata['staticmap'])) { foreach ($ifdata['staticmap'] as $hostent) { if (($hostent['ipaddr'] != "") && ($hostent['hostname'] != "")) { - $iplookup[$hostent['ipaddr']] = $hostent['hostname']; + if ($hostipformat == "descr" && $hostent['descr'] != "") { + $iplookup[$hostent['ipaddr']] = $hostent['descr']; + } else { + $iplookup[$hostent['ipaddr']] = $hostent['hostname']; + if ($hostipformat == "fqdn") { + $iplookup[$hostent['ipaddr']] .= "." . $config['system']['domain']; + } + } + } + } + } + } + } + // Add any DNS host override data keyed by IP address. + foreach (array('dnsmasq', 'unbound') as $dns_type) { + if (isset($config[$dns_type]['enable'])) { + if (is_array($config[$dns_type]['hosts'])) { + foreach ($config[$dns_type]['hosts'] as $hostent) { + if (($hostent['ip'] != "") && ($hostent['host'] != "")) { + if ($hostipformat == "descr" && $hostent['descr'] != "") { + $iplookup[$hostent['ip']] = $hostent['descr']; + } else { + $iplookup[$hostent['ip']] = $hostent['host']; + if ($hostipformat == "fqdn") { + $iplookup[$hostent['ip']] .= "." . $hostent['domain']; + } + } } } } @@ -87,19 +111,23 @@ for ($x=2; $x<12; $x++){ (($filter == "local") && (ip_in_subnet($infoarray[0], $intsubnet))) || (($filter == "remote") && (!ip_in_subnet($infoarray[0], $intsubnet)))) { if ($hostipformat == "") { + // pass back just the raw IP address $addrdata = $infoarray[0]; } else { - // $hostipformat is "hostname" or "fqdn" - $addrdata = gethostbyaddr($infoarray[0]); - if ($addrdata == $infoarray[0]) { - // gethostbyaddr() gave us back the IP address, so try the static mapping array - if ($iplookup[$infoarray[0]] != "") - $addrdata = $iplookup[$infoarray[0]]; + // $hostipformat is one of "hostname", "descr" or "fqdn" - we want a text representation if we can get it. + if ($iplookup[$infoarray[0]] != "") { + // We have a local entry, so use it. + $addrdata = $iplookup[$infoarray[0]]; } else { - if ($hostipformat == "hostname") { - // Only pass back the first part of the name, not the FQDN. - $name_array = explode(".", $addrdata); - $addrdata = $name_array[0]; + // Try to reverse lookup the IP address. + $addrdata = gethostbyaddr($infoarray[0]); + if ($addrdata != $infoarray[0]) { + // Reverse lookup returned something other than the IP address (FQDN, we hope!) + if ($hostipformat != "fqdn") { + // The user does not want the whole FQDN, so only pass back the first part of the name. + $name_array = explode(".", $addrdata); + $addrdata = $name_array[0]; + } } } } diff --git a/usr/local/www/diag_authentication.php b/usr/local/www/diag_authentication.php index df68560..24d567e 100644 --- a/usr/local/www/diag_authentication.php +++ b/usr/local/www/diag_authentication.php @@ -55,9 +55,10 @@ if ($_POST) { $input_errors[] = gettext("A username and password must be specified."); if (!$input_errors) { - if (authenticate_user($_POST['username'], $_POST['passwordfld'], $authcfg)) { + $attributes = array(); + if (authenticate_user($_POST['username'], $_POST['passwordfld'], $authcfg, $attributes)) { $savemsg = gettext("User") . ": " . $_POST['username'] . " " . gettext("authenticated successfully."); - $groups = getUserGroups($_POST['username'], $authcfg); + $groups = getUserGroups($_POST['username'], $authcfg, $attributes); $savemsg .= "<br />" . gettext("This user is a member of these groups") . ": <br />"; foreach ($groups as $group) $savemsg .= "{$group} "; @@ -98,7 +99,7 @@ include("head.inc"); if ($auth_server['name'] == $pconfig['authmode']) $selected = "selected=\"selected\""; ?> - <option value="<?=$auth_server['name'];?>" <?=$selected;?>><?=$auth_server['name'];?></option> + <option value="<?=htmlspecialchars($auth_server['name']);?>" <?=$selected;?>><?=htmlspecialchars($auth_server['name']);?></option> <?php endforeach; ?> </select> </td> diff --git a/usr/local/www/diag_dump_states.php b/usr/local/www/diag_dump_states.php index f41a4fd..6bf3f8f 100755 --- a/usr/local/www/diag_dump_states.php +++ b/usr/local/www/diag_dump_states.php @@ -195,11 +195,35 @@ while ($line = chop(fgets($fd))) { /* break up info and extract $srcip and $dstip */ $ends = preg_split("/\<?-\>?/", $info); - $parts = explode(":", $ends[0]); - $srcip = trim($parts[0]); - $parts = explode(":", $ends[count($ends) - 1]); - $dstip = trim($parts[0]); - + if (strstr($info, "[")) { + // IPv6 + $parts = explode("[", $ends[0]); + if (strstr($info, "->")) { + $srcip = trim($parts[0]); + } else { + $dstip = trim($parts[0]); + } + $parts = explode("[", $ends[count($ends) - 1]); + if (strstr($info, "->")) { + $dstip = trim($parts[0]); + } else { + $srcip = trim($parts[0]); + } + } else { + // IPv4 + $parts = explode(":", $ends[0]); + if (strstr($info, "->")) { + $srcip = trim($parts[0]); + } else { + $dstip = trim($parts[0]); + } + $parts = explode(":", $ends[count($ends) - 1]); + if (strstr($info, "->")) { + $dstip = trim($parts[0]); + } else { + $srcip = trim($parts[0]); + } + } ?> <tr valign="top" id="r:<?= $srcip ?>:<?= $dstip ?>"> <td class="listlr"><?= $iface ?></td> diff --git a/usr/local/www/diag_testport.php b/usr/local/www/diag_testport.php index b64075e..902e1e2 100644 --- a/usr/local/www/diag_testport.php +++ b/usr/local/www/diag_testport.php @@ -201,7 +201,15 @@ include("head.inc"); ?> /* Attempt to determine the interface address, if possible. Else try both. */ if (is_ipaddrv4($host)) { - $ifaddr = ($sourceip == "any") ? "" : get_interface_ip($sourceip); + if ($sourceip == "any") { + $ifaddr = ""; + } else { + if (is_ipaddr($sourceip)) { + $ifaddr = $sourceip; + } else { + $ifaddr = get_interface_ip($sourceip); + } + } $nc_args .= " -4"; } elseif (is_ipaddrv6($host)) { if ($sourceip == "any") diff --git a/usr/local/www/firewall_aliases.php b/usr/local/www/firewall_aliases.php index d4efcf5..7e9ce20 100644 --- a/usr/local/www/firewall_aliases.php +++ b/usr/local/www/firewall_aliases.php @@ -106,7 +106,7 @@ if ($_GET['act'] == "del") { // Static routes find_alias_reference(array('staticroutes', 'route'), array('network'), $alias_name, $is_alias_referenced, $referenced_by); if($is_alias_referenced == true) { - $savemsg = sprintf(gettext("Cannot delete alias. Currently in use by %s"), $referenced_by); + $savemsg = sprintf(gettext("Cannot delete alias. Currently in use by %s"), htmlspecialchars($referenced_by)); } else { unset($a_aliases[$_GET['id']]); if (write_config()) { diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index eb99406..4d65967 100644 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -172,7 +172,7 @@ if ($_POST) { if($protocol_uses_ports && $_POST['dstport'] <> "" && !(is_portoralias($_POST['dstport']) || is_portrange($_POST['dstport']))) $input_errors[] = gettext("You must supply either a valid port or port alias for the destination port entry."); - if($protocol_uses_ports && $_POST['natport'] <> "" && !is_port($_POST['natport']) && !isset($_POST['nonat'])) + if($protocol_uses_ports && $_POST['natport'] <> "" && !(is_portoralias($_POST['natport']) || is_portrange($_POST['natport'])) && !isset($_POST['nonat'])) $input_errors[] = gettext("You must supply a valid port for the NAT port entry."); if (($_POST['source_type'] != "any") && ($_POST['source_type'] != "(self)")) { diff --git a/usr/local/www/guiconfig.inc b/usr/local/www/guiconfig.inc index 62de607..b6ed0ad 100644 --- a/usr/local/www/guiconfig.inc +++ b/usr/local/www/guiconfig.inc @@ -246,9 +246,6 @@ $medias = array("auto" => "autoselect", "100full" => "100BASE-TX full-duplex", $wlan_modes = array("bss" => "Infrastructure (BSS)", "adhoc" => "Ad-hoc (IBSS)", "hostap" => "Access Point"); -/* platforms that support firmware updating */ -$fwupplatforms = array('pfSense', 'net45xx', 'net48xx', 'generic-pc', 'embedded', 'wrap', 'nanobsd'); - function do_input_validation($postdata, $reqdfields, $reqdfieldsn, &$input_errors) { /* check for bad control characters */ @@ -1119,7 +1116,7 @@ function alias_info_popup($alias_id){ $alias_objects_with_details .= "<tr><td $close_title width=\"5%\" class=\"vncell\" style=\"background: #FFFFFF;color: #000000;\">{$alias_addresses[$counter]}</td>"; $alias_detail_default = strpos ($alias_details[$counter],"Entry added"); if ($alias_details[$counter] != "" && $alias_detail_default === False) - $alias_objects_with_details .="<td $close_title width=\"95%\" class=\"vncell\" style=\"background: #FFFFFF;color: #000000;\">{$alias_details[$counter]}</td>"; + $alias_objects_with_details .="<td $close_title width=\"95%\" class=\"vncell\" style=\"background: #FFFFFF;color: #000000;\">" . htmlspecialchars($alias_details[$counter]) . "</td>"; else $alias_objects_with_details .="<td $close_title width=\"95%\" class=\"vncell\" style=\"background: #FFFFFF;color: #000000;\"> </td>"; $alias_objects_with_details .= "</tr>"; @@ -1132,7 +1129,7 @@ function alias_info_popup($alias_id){ if ($strlength >= $maxlength) $alias_descr_substr = substr($alias_descr_substr, 0, $maxlength) . "..."; $item_text = ($counter > 1 ? "items" : "item"); - $alias_caption = "{$alias_descr_substr} - {$counter} {$item_text}<a href=\"/firewall_aliases_edit.php?id={$alias_id}\" title=\"".gettext('edit this alias')."\"> edit </a>"; + $alias_caption = htmlspecialchars($alias_descr_substr) . " - {$counter} {$item_text}<a href=\"/firewall_aliases_edit.php?id={$alias_id}\" title=\"".gettext('edit this alias')."\"> edit </a>"; $strlength = strlen ($alias_caption); print "<h1>{$alias_caption}</h1>" . $alias_objects_with_details; } diff --git a/usr/local/www/load_balancer_pool.php b/usr/local/www/load_balancer_pool.php index 46e4e1c..0a81931 100644 --- a/usr/local/www/load_balancer_pool.php +++ b/usr/local/www/load_balancer_pool.php @@ -92,9 +92,11 @@ for ($i = 0; isset($config['load_balancer']['monitor_type'][$i]); $i++) { $mondex[$config['load_balancer']['monitor_type'][$i]['name']] = $i; } for ($i = 0; isset($config['load_balancer']['lbpool'][$i]); $i++) { + $a_pool[$i]['mode'] = htmlspecialchars($a_pool[$i]['mode']); $a_pool[$i]['monitor'] = "<a href=\"/load_balancer_monitor_edit.php?id={$mondex[$a_pool[$i]['monitor']]}\">" . htmlspecialchars($a_pool[$i]['monitor']) . "</a>"; } + $pgtitle = array(gettext("Services"), gettext("Load Balancer"),gettext("Pool")); $shortcut_section = "relayd"; diff --git a/usr/local/www/load_balancer_pool_edit.php b/usr/local/www/load_balancer_pool_edit.php index 457087b..72f36ce 100644 --- a/usr/local/www/load_balancer_pool_edit.php +++ b/usr/local/www/load_balancer_pool_edit.php @@ -74,6 +74,8 @@ if (isset($id) && $a_pool[$id]) { $changedesc = gettext("Load Balancer: Pool:") . " "; $changecount = 0; +$allowed_modes = array("loadbalance", "failover"); + if ($_POST) { $changecount++; @@ -110,6 +112,10 @@ if ($_POST) { if (!empty($_POST['retry']) && !is_port($_POST['retry'])) $input_errors[] = gettext("The retry value must be an integer between 1 and 65535."); + if (!in_array($_POST['mode'], $allowed_modes)) { + $input_errors[] = gettext("The submitted mode is not valid."); + } + if (is_array($_POST['servers'])) { foreach($pconfig['servers'] as $svrent) { if (!is_ipaddr($svrent) && !is_subnetv4($svrent)) { diff --git a/usr/local/www/load_balancer_virtual_server.php b/usr/local/www/load_balancer_virtual_server.php index 04a4d7b..4940864 100644 --- a/usr/local/www/load_balancer_virtual_server.php +++ b/usr/local/www/load_balancer_virtual_server.php @@ -87,6 +87,8 @@ for ($i = 0; isset($config['load_balancer']['lbpool'][$i]); $i++) { } for ($i = 0; isset($config['load_balancer']['virtual_server'][$i]); $i++) { if($a_vs[$i]) { + $a_vs[$i]['mode'] = htmlspecialchars($a_vs[$i]['mode']); + $a_vs[$i]['relay_protocol'] = htmlspecialchars($a_vs[$i]['relay_protocol']); $a_vs[$i]['poolname'] = "<a href=\"/load_balancer_pool_edit.php?id={$poodex[$a_vs[$i]['poolname']]}\">" . htmlspecialchars($a_vs[$i]['poolname']) . "</a>"; if ($a_vs[$i]['sitedown'] != '') { $a_vs[$i]['sitedown'] = "<a href=\"/load_balancer_pool_edit.php?id={$poodex[$a_vs[$i]['sitedown']]}\">" . htmlspecialchars($a_vs[$i]['sitedown']) . "</a>"; diff --git a/usr/local/www/load_balancer_virtual_server_edit.php b/usr/local/www/load_balancer_virtual_server_edit.php index 8e6ffe8..50f59ed 100644 --- a/usr/local/www/load_balancer_virtual_server_edit.php +++ b/usr/local/www/load_balancer_virtual_server_edit.php @@ -69,6 +69,8 @@ if (isset($id) && $a_vs[$id]) { $changedesc = gettext("Load Balancer: Virtual Server:") . " "; $changecount = 0; +$allowed_protocols = array("tcp", "dns"); + if ($_POST) { unset($input_errors); $pconfig = $_POST; @@ -107,6 +109,10 @@ if ($_POST) { else if (is_subnetv4($_POST['ipaddr']) && subnet_size($_POST['ipaddr']) > 64) $input_errors[] = sprintf(gettext("%s is a subnet containing more than 64 IP addresses."), $_POST['ipaddr']); + if (!in_array($_POST['relay_protocol'], $allowed_protocols)) { + $input_errors[] = gettext("The submitted relay protocol is not valid."); + } + if ((strtolower($_POST['relay_protocol']) == "dns") && !empty($_POST['sitedown'])) $input_errors[] = gettext("You cannot select a Fall Back Pool when using the DNS relay protocol."); diff --git a/usr/local/www/pkg_mgr_installed.php b/usr/local/www/pkg_mgr_installed.php index cd86295..2384a2d 100644 --- a/usr/local/www/pkg_mgr_installed.php +++ b/usr/local/www/pkg_mgr_installed.php @@ -147,8 +147,10 @@ include("head.inc"); #check package version $latest_package = $currentvers[$pkg['name']]['version']; if ($latest_package) { + $pkg_compare_result = compare_pkg_versions($pkg['version'], $latest_package); + // we're running a newer version of the package - if(strcmp($pkg['version'], $latest_package) > 0) { + if ($pkg_compare_result > 0) { $tdclass = "listbggrey"; if ($g['disablepackagehistory']) $pkgver = "<a>".gettext("Available") .": ". $latest_package . "<br />"; @@ -157,7 +159,7 @@ include("head.inc"); $pkgver .= gettext("Installed") .": ". $pkg['version']. "</a>"; } // we're running an older version of the package - if(strcmp($pkg['version'], $latest_package) < 0) { + if ($pkg_compare_result < 0) { $tdclass = "listbg"; if ($g['disablepackagehistory']) $pkgver = "<a><font color='#ffffff'>" . gettext("Available") .": ". $latest_package . "</font><br />"; @@ -166,7 +168,7 @@ include("head.inc"); $pkgver .= gettext("Installed") .": ". $pkg['version']."</font></a>"; } // we're running the current version - if(!strcmp($pkg['version'], $latest_package)) { + if ($pkg_compare_result == 0) { $tdclass = "listr"; if ($g['disablepackagehistory']) $pkgver = "<a>{$pkg['version']}</a>"; diff --git a/usr/local/www/status.php b/usr/local/www/status.php index b7c21b4..3e0e8ea 100755 --- a/usr/local/www/status.php +++ b/usr/local/www/status.php @@ -161,6 +161,7 @@ defCmdT("Free Disk Space","/bin/df -hi"); defCmdT("Routing tables","/usr/bin/netstat -nWr"); defCmdT("Mbuf Usage","/usr/bin/netstat -mb"); defCmdT("VMStat", "/usr/bin/vmstat -afimsz"); +defCmdT("Sockets", "/usr/bin/sockstat"); /* Firewall rules and info */ defCmdT("Generated Ruleset","/bin/cat {$g['tmp_path']}/rules.debug"); @@ -184,19 +185,20 @@ defCmdT("pftop Speed","/usr/local/sbin/pftop -w 150 -a -b -v speed"); if (isset($config['captiveportal']) && is_array($config['captiveportal'])) { foreach ($config['captiveportal'] as $cpZone => $cpdata) { if (isset($cpdata['enable'])) - defCmdT("IPFW rules for {$cpdata['zoneid']}", "/sbin/ipfw -x " . escapeshellarg($cpdata['zoneid']) . " show"); + defCmdT("IPFW rules for {$cpdata['zone']}", "/sbin/ipfw -x " . escapeshellarg($cpdata['zoneid']) . " show"); } } /* Configuration Files */ -defCmdT("Contents of /var/run", "/bin/ls /var/run"); -defCmdT("Contents of /conf", "/bin/ls /conf"); +defCmdT("Contents of var run", "/bin/ls /var/run"); +defCmdT("Contents of conf", "/bin/ls /conf"); defCmdT("config.xml","dumpconfigxml"); defCmdT("resolv.conf","/bin/cat /etc/resolv.conf"); defCmdT("DHCP Configuration","/bin/cat /var/dhcpd/etc/dhcpd.conf"); defCmdT("DHCPv6 Configuration","/bin/cat /var/dhcpd/etc/dhcpdv6.conf"); defCmdT("strongSwan config","/bin/cat /var/etc/ipsec/strongswan.conf"); defCmdT("IPsec config","/bin/cat /var/etc/ipsec/ipsec.conf"); +defCmdT("IPsec Status","/usr/local/sbin/ipsec statusall"); defCmdT("SPD","/sbin/setkey -DP"); defCmdT("SAD","/sbin/setkey -D"); if (file_exists("/cf/conf/upgrade_log.txt")) { @@ -218,11 +220,13 @@ if (file_exists("/var/etc/filterdns.conf")) { defCmdT("Filter DNS Daemon Config", "/bin/cat /var/etc/filterdns.conf"); } if(isset($config['system']['usefifolog'])) { - defCmdT("last 200 system log entries","/usr/sbin/fifolog_reader /var/log/system.log 2>&1 | tail -n 200"); + defCmdT("last 500 system log entries","/usr/sbin/fifolog_reader /var/log/system.log 2>&1 | tail -n 500"); defCmdT("last 50 filter log entries","/usr/sbin/fifolog_reader /var/log/filter.log 2>&1 | tail -n 50"); + defCmdT("last 100 IPsec log entries","/usr/sbin/fifolog_reader /var/log/ipsec.log 2>&1 | tail -n 100"); } else { - defCmdT("last 200 system log entries","/usr/local/sbin/clog /var/log/system.log 2>&1 | tail -n 200"); + defCmdT("last 500 system log entries","/usr/local/sbin/clog /var/log/system.log 2>&1 | tail -n 500"); defCmdT("last 50 filter log entries","/usr/local/sbin/clog /var/log/filter.log 2>&1 | tail -n 50"); + defCmdT("last 100 IPsec log entries","/usr/local/sbin/clog /var/log/ipsec.log 2>&1 | tail -n 100"); } if (file_exists("/tmp/PHP_errors.log")) { defCmdT("PHP Error Log", "/bin/cat /tmp/PHP_errors.log"); diff --git a/usr/local/www/status_captiveportal_test.php b/usr/local/www/status_captiveportal_test.php index 4caafb4..ddb5b43 100644 --- a/usr/local/www/status_captiveportal_test.php +++ b/usr/local/www/status_captiveportal_test.php @@ -108,10 +108,10 @@ if ($_POST) { foreach ($test_results as $result) { if (strpos($result, " good ") || strpos($result, " granted ")) { echo "<tr><td bgcolor=\"#D9DEE8\"><img src=\"/themes/{$g['theme']}/images/icons/icon_pass.gif\" alt=\"pass\" /></td>"; - echo "<td bgcolor=\"#D9DEE8\">$result</td></tr>"; + echo "<td bgcolor=\"#D9DEE8\">" . htmlspecialchars($result) . "</td></tr>"; } else { echo "<tr><td bgcolor=\"#FFD9D1\"><img src=\"/themes/{$g['theme']}/images/icons/icon_block.gif\" alt=\"block\" /></td>"; - echo "<td bgcolor=\"#FFD9D1\">$result</td></tr>"; + echo "<td bgcolor=\"#FFD9D1\">" . htmlspecialchars($result) . "</td></tr>"; } } echo "</table>"; diff --git a/usr/local/www/status_graph.php b/usr/local/www/status_graph.php index 3c8ba8f..832b068 100644 --- a/usr/local/www/status_graph.php +++ b/usr/local/www/status_graph.php @@ -230,6 +230,7 @@ foreach ($ifdescrs as $ifn => $ifd) { <select id="hostipformat" name="hostipformat" class="formselect" style="z-index: -10;" onchange="document.form1.submit()"> <option value="">IP Address</option> <option value="hostname"<?php if ($curhostipformat == "hostname") echo " selected";?>>Host Name</option> + <option value="descr"<?php if ($curhostipformat == "descr") echo " selected=\"selected\"";?>>Description</option> <option value="fqdn"<?php if ($curhostipformat == "fqdn") echo " selected=\"selected\"";?>>FQDN</option> </select> </form> diff --git a/usr/local/www/status_lb_pool.php b/usr/local/www/status_lb_pool.php index 6e689a3..140a18a 100644 --- a/usr/local/www/status_lb_pool.php +++ b/usr/local/www/status_lb_pool.php @@ -209,7 +209,7 @@ if ($_POST) { <?php echo $pool['monitor']; ?> </td> <td class="listbg" > - <?=$pool['descr'];?> + <?=htmlspecialchars($pool['descr']);?> </td> </tr> <?php endforeach; ?> diff --git a/usr/local/www/status_lb_vs.php b/usr/local/www/status_lb_vs.php index 62ae530..952aea7 100644 --- a/usr/local/www/status_lb_vs.php +++ b/usr/local/www/status_lb_vs.php @@ -132,7 +132,7 @@ include("head.inc"); ?> </td> <td class="listbg" > - <?=$vsent['descr'];?> + <?=htmlspecialchars($vsent['descr']);?> </td> </tr> <?php $i++; endforeach; ?> diff --git a/usr/local/www/status_openvpn.php b/usr/local/www/status_openvpn.php index 492eded..427115a 100644 --- a/usr/local/www/status_openvpn.php +++ b/usr/local/www/status_openvpn.php @@ -147,7 +147,7 @@ include("head.inc"); ?> <table style="padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px" width="100%" border="0" cellpadding="0" cellspacing="0" summary="status openvpn"> <tr> <td colspan="6" class="listtopic"> - <?=$server['name'];?> <?=gettext("Client connections"); ?> + <?=htmlspecialchars($server['name']);?> <?=gettext("Client connections"); ?> </td> </tr> <tr> @@ -217,7 +217,7 @@ include("head.inc"); ?> <table style="display: none; padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px" width="100%" border="0" cellpadding="0" cellspacing="0" id="tabroute-<?= $i ?>" summary="routing table"> <tr> <td colspan="6" class="listtopic"> - <?=$server['name'];?> <?=gettext("Routing Table"); ?> + <?=htmlspecialchars($server['name']);?> <?=gettext("Routing Table"); ?> </td> </tr> <tr> @@ -286,7 +286,7 @@ include("head.inc"); ?> <?php foreach ($sk_servers as $sk_server): ?> <tr id="<?php echo "r:{$sk_server['port']}:{$sk_server['vpnid']}"; ?>"> <td class="listlr"> - <?=$sk_server['name'];?> + <?=htmlspecialchars($sk_server['name']);?> </td> <td class="listr"> <?=$sk_server['status'];?> @@ -349,7 +349,7 @@ include("head.inc"); ?> <?php foreach ($clients as $client): ?> <tr id="<?php echo "r:{$client['port']}:{$client['vpnid']}"; ?>"> <td class="listlr"> - <?=$client['name'];?> + <?=htmlspecialchars($client['name']);?> </td> <td class="listr"> <?=$client['status'];?> diff --git a/usr/local/www/status_rrd_graph.php b/usr/local/www/status_rrd_graph.php index e64cf72..a4aec6d 100644 --- a/usr/local/www/status_rrd_graph.php +++ b/usr/local/www/status_rrd_graph.php @@ -409,7 +409,7 @@ function get_dates($curperiod, $graph) { <table width="100%" border="0" cellpadding="0" cellspacing="0" summary="rrd graphs"> <tr> <td> - <input type="hidden" name="cat" value="<?php echo "$curcat"; ?>" /> + <input type="hidden" name="cat" value="<?php echo htmlspecialchars($curcat); ?>" /> <?php $tab_array = array(); if($curcat == "system") { $tabactive = True; } else { $tabactive = False; } diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index a58ef0e..8e5d03c 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -97,6 +97,7 @@ if ($act == "edit") { $pconfig['ldap_caref'] = $a_server[$id]['ldap_caref']; $pconfig['ldap_host'] = $a_server[$id]['host']; $pconfig['ldap_port'] = $a_server[$id]['ldap_port']; + $pconfig['ldap_timeout'] = $a_server[$id]['ldap_timeout']; $pconfig['ldap_urltype'] = $a_server[$id]['ldap_urltype']; $pconfig['ldap_protver'] = $a_server[$id]['ldap_protver']; $pconfig['ldap_scope'] = $a_server[$id]['ldap_scope']; @@ -109,8 +110,10 @@ if ($act == "edit") { $pconfig['ldap_attr_user'] = $a_server[$id]['ldap_attr_user']; $pconfig['ldap_attr_group'] = $a_server[$id]['ldap_attr_group']; $pconfig['ldap_attr_member'] = $a_server[$id]['ldap_attr_member']; + $pconfig['ldap_attr_groupobj'] = $a_server[$id]['ldap_attr_groupobj']; $pconfig['ldap_utf8'] = isset($a_server[$id]['ldap_utf8']); $pconfig['ldap_nostrip_at'] = isset($a_server[$id]['ldap_nostrip_at']); + $pconfig['ldap_rfc2307'] = isset($a_server[$id]['ldap_rfc2307']); if (!$pconfig['ldap_binddn'] || !$pconfig['ldap_bindpw']) $pconfig['ldap_anon'] = true; @@ -217,8 +220,12 @@ if ($_POST) { if (auth_get_authserver($pconfig['name']) && !isset($id)) $input_errors[] = gettext("An authentication server with the same name already exists."); - if (($pconfig['type'] == "radius") && isset($_POST['radius_timeout']) && !empty($_POST['radius_timeout']) && (!is_numeric($_POST['radius_timeout']) || (is_numeric($_POST['radius_timeout']) && ($_POST['radius_timeout'] <= 0)))) - $input_errors[] = gettext("RADIUS Timeout value must be numeric and positive."); + if (($pconfig['type'] == "ldap") || ($pconfig['type'] == "radius")) { + $to_field = "{$pconfig['type']}_timeout"; + if (isset($_POST[$to_field]) && !empty($_POST[$to_field]) && (!is_numeric($_POST[$to_field]) || (is_numeric($_POST[$to_field]) && ($_POST[$to_field] <= 0)))) { + $input_errors[] = sprintf(gettext("%s Timeout value must be numeric and positive."), strtoupper($pconfig['type'])); + } + } /* if this is an AJAX caller then handle via JSON */ if (isAjax() && is_array($input_errors)) { @@ -251,6 +258,9 @@ if ($_POST) { $server['ldap_attr_user'] = $pconfig['ldap_attr_user']; $server['ldap_attr_group'] = $pconfig['ldap_attr_group']; $server['ldap_attr_member'] = $pconfig['ldap_attr_member']; + + $server['ldap_attr_groupobj'] = empty($pconfig['ldap_attr_groupobj']) ? "posixGroup" : $pconfig['ldap_attr_groupobj']; + if ($pconfig['ldap_utf8'] == "yes") $server['ldap_utf8'] = true; else @@ -260,6 +270,11 @@ if ($_POST) { else unset($server['ldap_nostrip_at']); + if ($pconfig['ldap_rfc2307'] == "yes") { + $server['ldap_rfc2307'] = true; + } else { + unset($server['ldap_rfc2307']); + } if (!$pconfig['ldap_anon']) { $server['ldap_binddn'] = $pconfig['ldap_binddn']; @@ -268,6 +283,13 @@ if ($_POST) { unset($server['ldap_binddn']); unset($server['ldap_bindpw']); } + + if ($pconfig['ldap_timeout']) { + $server['ldap_timeout'] = $pconfig['ldap_timeout']; + } else { + $server['ldap_timeout'] = 25; + } + } if ($server['type'] == "radius") { @@ -398,6 +420,7 @@ function radius_srvcschange(){ function select_clicked() { if (document.getElementById("ldap_port").value == '' || + document.getElementById("ldap_timeout").value == '' || document.getElementById("ldap_host").value == '' || document.getElementById("ldap_scope").value == '' || document.getElementById("ldap_basedn").value == '' || @@ -566,6 +589,13 @@ function select_clicked() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Server Timeout");?></td> + <td width="78%" class="vtable"> + <input name="ldap_timeout" type="text" class="formfld unknown" id="ldap_timeout" size="5" value="<?=htmlspecialchars($pconfig['ldap_timeout']);?>"/> + <br /><?= gettext("Timeout for LDAP operations (seconds). Default: 25"); ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("Search scope");?></td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="2" summary="search scope"> @@ -696,6 +726,28 @@ function select_clicked() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("RFC2307 Groups");?></td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="2" summary="rfc2307 groups"> + <tr> + <td> + <input name="ldap_rfc2307" type="checkbox" id="ldap_rfc2307" value="yes" <?php if ($pconfig['ldap_rfc2307']) echo "checked=\"checked\""; ?> /> + </td> + <td> + <?=gettext("Check if the LDAP server uses RFC 2307 style group membership where members are listed on the group object rather than using groups listed on user object. Leave unchecked for Active Directory style group membership (RFC 2307bis).");?> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Group Object Class");?></td> + <td width="78%" class="vtable"> + <input name="ldap_attr_groupobj" type="text" class="formfld unknown" id="ldap_attr_groupobj" size="20" value="<?=htmlspecialchars($pconfig['ldap_attr_groupobj']);?>"/> + <br /><?= gettext("Object class used for groups in RFC2307 mode. Typically 'posixGroup' or 'group'. Default: posixGroup"); ?> + </td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?=gettext("UTF8 Encode");?></td> <td width="78%" class="vtable"> <table border="0" cellspacing="0" cellpadding="2" summary="utf8 encoding"> diff --git a/usr/local/www/system_usermanager.php b/usr/local/www/system_usermanager.php index 0744dbb..13e19c5 100644 --- a/usr/local/www/system_usermanager.php +++ b/usr/local/www/system_usermanager.php @@ -361,7 +361,10 @@ if ($_POST['save']) { $a_user[] = $userent; } + /* Add user to groups so PHP can see the memberships properly or else the user's shell account does not get proper permissions (if applicable) See #5152. */ + local_user_set_groups($userent,$_POST['groups']); local_user_set($userent); + /* Add user to groups again to ensure they are set everywhere, otherwise the user may not appear to be a member of the group. See commit:5372d26d9d25d751d16865ed9d46869d3b0ec5e1. */ local_user_set_groups($userent,$_POST['groups']); write_config(); diff --git a/usr/local/www/system_usermanager_settings.php b/usr/local/www/system_usermanager_settings.php index 8965c69..5945691 100644 --- a/usr/local/www/system_usermanager_settings.php +++ b/usr/local/www/system_usermanager_settings.php @@ -152,7 +152,7 @@ include("head.inc"); if (!isset($pconfig['authmode']) && $auth_server['name'] == "Local Database") $selected = "selected=\"selected\""; ?> - <option value="<?=$auth_server['name'];?>" <?=$selected;?>><?=$auth_server['name'];?></option> + <option value="<?=htmlspecialchars($auth_server['name']);?>" <?=$selected;?>><?=htmlspecialchars($auth_server['name']);?></option> <?php endforeach; ?> diff --git a/usr/local/www/system_usermanager_settings_test.php b/usr/local/www/system_usermanager_settings_test.php index 2dcba45..2ec54b1 100755 --- a/usr/local/www/system_usermanager_settings_test.php +++ b/usr/local/www/system_usermanager_settings_test.php @@ -88,15 +88,15 @@ if (!$authcfg) { echo "<table width='100%'>"; - echo "<tr><td>" . gettext("Attempting connection to") . " " . "<td><center>$auth_server</b></center></td>"; + echo "<tr><td>" . gettext("Attempting connection to") . " " . "<td><center>" . htmlspecialchars($auth_server). "</b></center></td>"; if(ldap_test_connection($authcfg)) { echo "<td><center><font color=green>OK</center></td></tr>"; - echo "<tr><td>" . gettext("Attempting bind to") . " " . "<td><center>$auth_server</b></center></td>"; + echo "<tr><td>" . gettext("Attempting bind to") . " " . "<td><center>" . htmlspecialchars($auth_server). "</b></center></td>"; if(ldap_test_bind($authcfg)) { echo "<td><center><font color=green>OK</center></td></tr>"; - echo "<tr><td>" . gettext("Attempting to fetch Organizational Units from") . " " . "<td><center>$auth_server</b></center></td>"; + echo "<tr><td>" . gettext("Attempting to fetch Organizational Units from") . " " . "<td><center>" . htmlspecialchars($auth_server). "</b></center></td>"; $ous = ldap_get_user_ous(true, $authcfg); if(count($ous)>1) { echo "<td><center><font color=green>OK</center></td></tr>"; diff --git a/usr/local/www/vpn_ipsec_mobile.php b/usr/local/www/vpn_ipsec_mobile.php index 8fed8e9..0c4da17 100644 --- a/usr/local/www/vpn_ipsec_mobile.php +++ b/usr/local/www/vpn_ipsec_mobile.php @@ -393,7 +393,7 @@ function login_banner_change() { $selected = ""; if (in_array($auth_server['name'], $authmodes)) $selected = "selected=\"selected\""; - echo "<option value='{$auth_server['name']}' {$selected}>{$auth_server['name']}</option>\n"; + echo "<option value=\"" . htmlspecialchars($auth_server['name']). "\" {$selected}>" . htmlspecialchars($auth_server['name']). "</option>\n"; } ?> </select> diff --git a/usr/local/www/vpn_ipsec_phase1.php b/usr/local/www/vpn_ipsec_phase1.php index 1b87df4..b25e52d 100644 --- a/usr/local/www/vpn_ipsec_phase1.php +++ b/usr/local/www/vpn_ipsec_phase1.php @@ -470,10 +470,13 @@ function iketype_change() { function peeridsel_change() { index = document.iform.peerid_type.selectedIndex; value = document.iform.peerid_type.options[index].value; - if (value == 'peeraddress') - document.getElementById('peerid_data').style.visibility = 'hidden'; - else - document.getElementById('peerid_data').style.visibility = 'visible'; + if (value == 'peeraddress') { + document.getElementById('peerid_data').style.visibility = 'hidden'; + } else if (value == 'any') { + document.getElementById('peerid_data').style.visibility = 'hidden'; + } else { + document.getElementById('peerid_data').style.visibility = 'visible'; + } } function methodsel_change() { diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index 801575a..cd978f7 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -810,7 +810,7 @@ if ($savemsg) if (in_array($auth_server_key, $authmodes)) $selected = "selected=\"selected\""; ?> - <option value="<?=$auth_server_key;?>" <?=$selected;?>><?=$auth_server['name'];?></option> + <option value="<?=htmlspecialchars($auth_server_key);?>" <?=$selected;?>><?=htmlspecialchars($auth_server['name']);?></option> <?php endforeach; ?> </select> </td> diff --git a/usr/local/www/widgets/widgets/load_balancer_status.widget.php b/usr/local/www/widgets/widgets/load_balancer_status.widget.php index 098a028..9accedc 100644 --- a/usr/local/www/widgets/widgets/load_balancer_status.widget.php +++ b/usr/local/www/widgets/widgets/load_balancer_status.widget.php @@ -140,7 +140,7 @@ if (!$nentries) </table> </td> <td class="listbg" > - <font color="#FFFFFF"><?=$vsent['descr'];?></font> + <font color="#FFFFFF"><?=htmlspecialchars($vsent['descr']);?></font> </td> </tr> <?php $i++; endforeach; ?> diff --git a/usr/local/www/widgets/widgets/openvpn.widget.php b/usr/local/www/widgets/widgets/openvpn.widget.php index 75ccc3f..fcc327b 100644 --- a/usr/local/www/widgets/widgets/openvpn.widget.php +++ b/usr/local/www/widgets/widgets/openvpn.widget.php @@ -126,7 +126,7 @@ $clients = openvpn_get_active_clients(); <table style="padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px" width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td colspan="6" class="listtopic"> - <?=$server['name'];?> Client connections + <?=htmlspecialchars($server['name']);?> Client connections </td> </tr> <tr> |
