From 1457cce53e604935dbc737bb7cfd4de64a957be5 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Wed, 31 Oct 2012 13:33:44 -0400
Subject: Escape parameters better when managing tables. Fix test to allow
 deleting subnet entries as well as IPs.

---
 usr/local/www/diag_tables.php | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/usr/local/www/diag_tables.php b/usr/local/www/diag_tables.php
index eba3d5f..c040907 100644
--- a/usr/local/www/diag_tables.php
+++ b/usr/local/www/diag_tables.php
@@ -52,7 +52,7 @@ if($_REQUEST['type'])
 	$tablename = $_REQUEST['type'];
 	
 if($_REQUEST['delete']) {
-	if(is_ipaddr($_REQUEST['delete'])) {
+	if(is_ipaddr($_REQUEST['delete']) || is_subnet($_REQUEST['delete'])) {
 		exec("/sbin/pfctl -t " . escapeshellarg($_REQUEST['type']) . " -T delete " . escapeshellarg($_REQUEST['delete']), $delete);
 		echo htmlentities($_REQUEST['delete']);
 	}
@@ -60,7 +60,7 @@ if($_REQUEST['delete']) {
 }
 
 if($_REQUEST['deleteall']) {
-	exec("/sbin/pfctl -t $tablename -T show", $entries);
+	exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T show", $entries);
 	if(is_array($entries)) {
 		foreach($entries as $entryA) {
 			$entry = trim($entryA);
@@ -86,7 +86,7 @@ if(($tablename == "bogons") && ($_POST['Download'])) {
 		$savemsg = gettext("The bogons database has been updated.");
 }
 
-exec("/sbin/pfctl -t $tablename -T show", $entries);
+exec("/sbin/pfctl -t " . escapeshellarg($tablename) . " -T show", $entries);
 exec("/sbin/pfctl -sT", $tables);
 
 include("head.inc");
@@ -103,7 +103,7 @@ include("fbegin.inc");
 		window.location='diag_tables.php?type=' + entrytype;
 	}
 	function del_entry(entry) {
-		new Ajax.Request("diag_tables.php?type=<?php echo $tablename;?>&delete=" + entry, {
+		new Ajax.Request("diag_tables.php?type=<?php echo htmlspecialchars($tablename);?>&delete=" + entry, {
 		onComplete: function(response) {
 			if (200 == response.status) 
 				new Effect.Fade($(response.responseText), { duration: 1.0 } ); 
@@ -137,7 +137,7 @@ include("fbegin.inc");
 		</td>
 		<td>
 			<?php if ($tablename != "bogons") { ?>
-			<a onClick='del_entry("<?=$entry?>");'>
+			<a onClick='del_entry("<?=htmlspecialchars($entry)?>");'>
 				<img img src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif">
 			<?php } ?>
 			</a>
@@ -156,7 +156,7 @@ include("fbegin.inc");
   		if($tablename == "bogons")
 			echo "<input name='Download' type='submit' class='formbtn' value='" . gettext("Download") . "'> " . gettext(" the latest bogon data.");
 		else
-			echo "<p/>" . gettext("Delete") . " <a href='diag_tables.php?deleteall=true&type={$tablename}'>" . gettext("all") . "</a> " . gettext("entries in this table.");
+			echo "<p/>" . gettext("Delete") . " <a href='diag_tables.php?deleteall=true&type=" . htmlspecialchars($tablename) . "'>" . gettext("all") . "</a> " . gettext("entries in this table.");
 ?>
 
 <?php include("fend.inc"); ?>
-- 
cgit v1.1