From 1e578a7f10843f470d2bf5274bbef695a14bb9d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20Lu=E7i?= Date: Thu, 3 Dec 2009 13:54:11 +0000 Subject: Resolves #146 Add propper validation on alias usage. Allow port type aliases only on port side and other aliases in ip specifications and similar. Introduce a new function is_portoralias to ressemble the is_ipaddroralias to check for the cases. --- etc/inc/util.inc | 52 +++++++++++++++++++---------------- usr/local/www/firewall_nat_edit.php | 6 ++-- usr/local/www/firewall_rules_edit.php | 14 +++++----- 3 files changed, 38 insertions(+), 34 deletions(-) diff --git a/etc/inc/util.inc b/etc/inc/util.inc index b585aa8..603ad8a 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -201,34 +201,21 @@ function is_ipaddr($ipaddr) { /* returns true if $ipaddr is a valid dotted IPv4 address or an alias thereof */ function is_ipaddroralias($ipaddr) { + global $config; - global $aliastable, $config; - - if(is_array($config['aliases']['alias'])) { - foreach($config['aliases']['alias'] as $alias) { - if($alias['name'] == $ipaddr) - return true; - } - } - - if (isset($aliastable[$ipaddr]) && is_ipaddr($aliastable[$ipaddr])) - return true; - else + if (is_alias($ipaddr)) { + if (is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['name'] == $ipaddr && $alias['type'] != "port") + return true; + } + } + return false; + } else return is_ipaddr($ipaddr); } -/* returns true if $ipaddr is a valid dotted IPv4 address or any alias */ -function is_ipaddroranyalias($ipaddr) { - - global $aliastable; - - if (isset($aliastable[$ipaddr])) - return true; - else - return is_ipaddr($ipaddr); -} - /* returns true if $subnet is a valid subnet in CIDR format */ function is_subnet($subnet) { if (!is_string($subnet)) @@ -332,6 +319,23 @@ function is_portrange($portrange) { return false; } +/* returns true if $port is a valid port number or an alias thereof */ +function is_portoralias($port) { + global $config; + + if (is_alias($port)) { + if (is_array($config['aliases']['alias'])) { + foreach ($config['aliases']['alias'] as $alias) { + if ($alias['name'] == $port && $alias['type'] == "port") + return true; + } + } + return false; + } else + return is_port($ipaddr); + +} + /* returns true if $val is a valid shaper bandwidth value */ function is_valid_shaperbw($val) { return (preg_match("/^(\d+(?:\.\d+)?)([MKG]?b|%)$/", $val)); @@ -1115,4 +1119,4 @@ function is_URL($url) { return false; } -?> \ No newline at end of file +?> diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 635f7f4..a1e0c9c 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -125,15 +125,15 @@ if ($_POST) { /* only validate the ports if the protocol is TCP, UDP or TCP/UDP */ if(strtoupper($_POST['proto']) == "TCP" or strtoupper($_POST['proto']) == "UDP" or strtoupper($_POST['proto']) == "TCP/UDP") { - if (($_POST['beginport'] && !is_ipaddroralias($_POST['beginport']) && !is_port($_POST['beginport']))) { + if ($_POST['beginport'] && !is_portoralias($_POST['beginport'])) { $input_errors[] = "The start port must be an integer between 1 and 65535."; } - if (($_POST['endport'] && !is_ipaddroralias($_POST['endport']) && !is_port($_POST['endport']))) { + if ($_POST['endport'] && !is_portoralias($_POST['endport'])) { $input_errors[] = "The end port must be an integer between 1 and 65535."; } - if (($_POST['localbeginport'] && !is_ipaddroralias($_POST['localbeginport']) && !is_port($_POST['localbeginport']))) { + if ($_POST['localbeginport'] && !is_portoralias($_POST['localbeginport'])) { $input_errors[] = "The local port must be an integer between 1 and 65535."; } diff --git a/usr/local/www/firewall_rules_edit.php b/usr/local/www/firewall_rules_edit.php index 8231692..d647ae7 100755 --- a/usr/local/www/firewall_rules_edit.php +++ b/usr/local/www/firewall_rules_edit.php @@ -45,7 +45,7 @@ require("guiconfig.inc"); require("filter.inc"); require("shaper.inc"); -$specialsrcdst = explode(" ", "any pptp pppoe l2tp"); +$specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn"); $ifdisp = get_configured_interface_with_descr(); foreach ($ifdisp as $kif => $kdescr) { $specialsrcdst[] = "{$kif}"; @@ -273,16 +273,16 @@ if ($_POST) { $_POST['dstendport'] = 0; } - if (($_POST['srcbeginport'] && !alias_expand($_POST['srcbeginport']) && !is_port($_POST['srcbeginport']))) { + if ($_POST['srcbeginport'] && !is_portoralias($_POST['srcbeginport'])) { $input_errors[] = "The start source port must be an alias or integer between 1 and 65535."; } - if (($_POST['srcendport'] && !alias_expand($_POST['srcendport']) && !is_port($_POST['srcendport']))) { + if ($_POST['srcendport'] && !is_portoralias($_POST['srcendport'])) { $input_errors[] = "The end source port must be an alias or integer between 1 and 65535."; } - if (($_POST['dstbeginport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstbeginport']))) { + if ($_POST['dstbeginport'] && !is_portoralias($_POST['dstbeginport'])) { $input_errors[] = "The start destination port must be an alias or integer between 1 and 65535."; } - if (($_POST['dstendport'] && !alias_expand($_POST['dstbeginport']) && !is_port($_POST['dstendport']))) { + if ($_POST['dstendport'] && !is_portoralias($_POST['dstbeginport'])) { $input_errors[] = "The end destination port must be an alias or integer between 1 and 65535."; } @@ -297,7 +297,7 @@ if ($_POST) { } if (!is_specialnet($_POST['srctype'])) { - if (($_POST['src'] && !is_ipaddroranyalias($_POST['src']))) { + if (($_POST['src'] && !is_ipaddroralias($_POST['src']))) { $input_errors[] = "A valid source IP address or alias must be specified."; } if (($_POST['srcmask'] && !is_numericint($_POST['srcmask']))) { @@ -305,7 +305,7 @@ if ($_POST) { } } if (!is_specialnet($_POST['dsttype'])) { - if (($_POST['dst'] && !is_ipaddroranyalias($_POST['dst']))) { + if (($_POST['dst'] && !is_ipaddroralias($_POST['dst']))) { $input_errors[] = "A valid destination IP address or alias must be specified."; } if (($_POST['dstmask'] && !is_numericint($_POST['dstmask']))) { -- cgit v1.1