summaryrefslogtreecommitdiffstats
path: root/src/usr/local/www/diag_tables.php
diff options
context:
space:
mode:
Diffstat (limited to 'src/usr/local/www/diag_tables.php')
-rw-r--r--src/usr/local/www/diag_tables.php11
1 files changed, 8 insertions, 3 deletions
diff --git a/src/usr/local/www/diag_tables.php b/src/usr/local/www/diag_tables.php
index c1d049d..c192880 100644
--- a/src/usr/local/www/diag_tables.php
+++ b/src/usr/local/www/diag_tables.php
@@ -31,11 +31,17 @@ $shortcut_section = "aliases";
require_once("guiconfig.inc");
+exec("/sbin/pfctl -sT", $tables);
+
// Set default table
$tablename = "sshlockout";
-if ($_REQUEST['type']) {
+if ($_REQUEST['type'] && in_array($_REQUEST['type'], $tables)) {
$tablename = $_REQUEST['type'];
+} else {
+ /* Invalid 'type' passed, do not take any actions that use the 'type' field. */
+ unset($_REQUEST['type']);
+ $_REQUEST['delete'];
}
// Gather selected alias metadata.
@@ -112,7 +118,6 @@ if ($_POST['Download'] && ($bogons || $urltable)) {
}
exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T show", $entries);
-exec("/sbin/pfctl -sT", $tables);
include("head.inc");
@@ -229,7 +234,7 @@ events.push(function() {
{
type: 'post',
data: {
- type: '<?=htmlspecialchars($tablename)?>',
+ type: '<?=htmlspecialchars(addslashes($tablename))?>',
delete: $(this).data('entry')
},
success: function() {
OpenPOWER on IntegriCloud