diff options
Diffstat (limited to 'src/usr/local/www/diag_tables.php')
-rw-r--r-- | src/usr/local/www/diag_tables.php | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/src/usr/local/www/diag_tables.php b/src/usr/local/www/diag_tables.php index c1d049d..c192880 100644 --- a/src/usr/local/www/diag_tables.php +++ b/src/usr/local/www/diag_tables.php @@ -31,11 +31,17 @@ $shortcut_section = "aliases"; require_once("guiconfig.inc"); +exec("/sbin/pfctl -sT", $tables); + // Set default table $tablename = "sshlockout"; -if ($_REQUEST['type']) { +if ($_REQUEST['type'] && in_array($_REQUEST['type'], $tables)) { $tablename = $_REQUEST['type']; +} else { + /* Invalid 'type' passed, do not take any actions that use the 'type' field. */ + unset($_REQUEST['type']); + $_REQUEST['delete']; } // Gather selected alias metadata. @@ -112,7 +118,6 @@ if ($_POST['Download'] && ($bogons || $urltable)) { } exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T show", $entries); -exec("/sbin/pfctl -sT", $tables); include("head.inc"); @@ -229,7 +234,7 @@ events.push(function() { { type: 'post', data: { - type: '<?=htmlspecialchars($tablename)?>', + type: '<?=htmlspecialchars(addslashes($tablename))?>', delete: $(this).data('entry') }, success: function() { |