From f0cf40f964f2a559ddcf495f492bd9d38f924512 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Tue, 7 Feb 2017 13:35:24 -0500
Subject: Convert easyrule.php to use a confirmation landing page so that the
 parameters can be submitted via POST. Also, remove the JavaScript
 confirmation box since it is now redundant. Fixes #7228 The confirmation page
 displays the submitted parameters for an extra user sanity check. Also fixed
 a bunch of page formatting issues that were not apparent because users rarely
 if ever saw output from the page.

---
 src/usr/local/www/easyrule.php           | 85 ++++++++++++++++++++++++--------
 src/usr/local/www/status_logs_filter.php |  4 +-
 2 files changed, 67 insertions(+), 22 deletions(-)

diff --git a/src/usr/local/www/easyrule.php b/src/usr/local/www/easyrule.php
index d9ea48e..7b0c525 100644
--- a/src/usr/local/www/easyrule.php
+++ b/src/usr/local/www/easyrule.php
@@ -59,7 +59,6 @@
 ##|*MATCH=easyrule.php*
 ##|-PRIV
 
-$pgtitle = gettext("Firewall: EasyRule");
 require_once("guiconfig.inc");
 require_once("easyrule.inc");
 require_once("filter.inc");
@@ -67,17 +66,23 @@ require_once("shaper.inc");
 
 $retval = 0;
 $message = "";
-$specialsrcdst = explode(" ", "any pptp pppoe l2tp openvpn");
+$confirmed = isset($_POST['confirmed']) && $_POST['confirmed'] == 'true';
 
-if ($_GET && isset($_GET['action'])) {
-	switch ($_GET['action']) {
+/* $specialsrcdst must be a defined global for functions being called. */
+global $specialsrcdst;
+$specialsrcdst = explode(" ", "any pppoe l2tp openvpn");
+
+if ($_POST && $confirmed && isset($_POST['action'])) {
+	switch ($_POST['action']) {
 		case 'block':
 			/* Check that we have a valid host */
-			easyrule_parse_block($_GET['int'], $_GET['src'], $_GET['ipproto']);
+			$message = easyrule_parse_block($_POST['int'], $_POST['src'], $_POST['ipproto']);
 			break;
 		case 'pass':
-			easyrule_parse_pass($_GET['int'], $_GET['proto'], $_GET['src'], $_GET['dst'], $_GET['dstport'], $_GET['ipproto']);
+			$message = easyrule_parse_pass($_POST['int'], $_POST['proto'], $_POST['src'], $_POST['dst'], $_POST['dstport'], $_POST['ipproto']);
 			break;
+		default:
+			$message = gettext("Invalid action specified.");
 	}
 }
 
@@ -85,23 +90,62 @@ if (stristr($retval, "error") == true) {
 	$message = $retval;
 }
 
+$pgtitle = array(gettext("Firewall"), gettext("Easy Rule"));
 include("head.inc");
-?>
-<table width="100%" border="0" cellpadding="0" cellspacing="0">
-	<tr>
-		<td>
-<?php
 if ($input_errors) {
 	print_input_errors($input_errors);
 }
-
-if ($message) {
 ?>
-<br />
-<?=gettext("Message"); ?>: <?=$message;?>
-<br />
+<form action="easyrule.php" method="post">
+	<div class="panel panel-default">
+		<div class="panel-heading">
+			<h2 class="panel-title">
+				<?=gettext("Confirmation Required to Add Easy Rule");?>
+			</h2>
+		</div>
+		<div class="panel-body">
+			<div class="content">
 <?php
-} else {
+if (!$confirmed && !empty($_REQUEST['action'])) { ?>
+	<?php if ($_GET['action'] == 'block'): ?>
+				<b><?=gettext("Rule Type")?>:</b> <?=htmlspecialchars(ucfirst(gettext($_GET['action'])))?>
+				<br/><b><?=gettext("Interface")?>:</b> <?=htmlspecialchars(strtoupper($_GET['int']))?>
+				<input type="hidden" name="int" value="<?=htmlspecialchars($_GET['int'])?>" />
+				<br/><b><?= gettext("Source") ?>:</b> <?=htmlspecialchars($_GET['src'])?>
+				<input type="hidden" name="src" value="<?=htmlspecialchars($_GET['src'])?>" />
+				<br/><b><?=gettext("IP Protocol")?>:</b> <?=htmlspecialchars(ucfirst($_GET['ipproto']))?>
+				<input type="hidden" name="ipproto" value="<?=htmlspecialchars($_GET['ipproto'])?>" />
+	<?php elseif ($_GET['action'] == 'pass'): ?>
+				<b><?=gettext("Rule Type")?>:</b> <?=htmlspecialchars(ucfirst(gettext($_GET['action'])))?>
+				<br/><b><?=gettext("Interface")?>:</b> <?=htmlspecialchars(strtoupper($_GET['int']))?>
+				<input type="hidden" name="int" value="<?=htmlspecialchars($_GET['int'])?>" />
+				<br/><b><?=gettext("Protocol")?>:</b> <?=htmlspecialchars(strtoupper($_GET['proto']))?>
+				<input type="hidden" name="proto" value="<?=htmlspecialchars($_GET['proto'])?>" />
+				<br/><b><?=gettext("Source")?>:</b> <?=htmlspecialchars($_GET['src'])?>
+				<input type="hidden" name="src" value="<?=htmlspecialchars($_GET['src'])?>" />
+				<br/><b><?=gettext("Destination")?>:</b> <?=htmlspecialchars($_GET['dst'])?>
+				<input type="hidden" name="dst" value="<?=htmlspecialchars($_GET['dst'])?>" />
+				<br/><b><?=gettext("Destination Port")?>:</b> <?=htmlspecialchars($_GET['dstport'])?>
+				<input type="hidden" name="dstport" value="<?=htmlspecialchars($_GET['dstport'])?>" />
+				<br/><b><?=gettext("IP Protocol")?>:</b> <?=htmlspecialchars(ucfirst($_GET['ipproto']))?>
+				<input type="hidden" name="ipproto" value="<?=htmlspecialchars($_GET['ipproto'])?>" />
+	<?php	else:
+			$message = gettext("Invalid action specified.");
+		endif; ?>
+				<br/><br/>
+	<?php if (empty($message)): ?>
+				<input type="hidden" name="action" value="<?=htmlspecialchars($_GET['action'])?>" />
+				<input type="hidden" name="confirmed" value="true" />
+				<button type="submit" class="btn btn-success" name="erconfirm" id="erconfirm" value="<?=gettext("Confirm")?>">
+					<i class="fa fa-check icon-embed-btn"></i>
+					<?=gettext("Confirm")?>
+				</button>
+	<?php endif;
+}
+
+if ($message) {
+	print_info_box($message);
+} elseif (empty($_REQUEST['action'])) {
 	print_info_box(
 		gettext('This is the Easy Rule status page, mainly used to display errors when adding rules.') . ' ' .
 		gettext('There apparently was not an error, and this page was navigated to directly without any instructions for what it should do.') .
@@ -110,7 +154,8 @@ if ($message) {
 		', <a href="status_logs_filter.php">' . gettext("Status") . ' &gt; ' . gettext('System Logs') . ', ' . gettext('Firewall Tab') . '</a>.<br />');
 }
 ?>
-		</td>
-	</tr>
-</table>
+			</div>
+		</div>
+	</div>
+</form>
 <?php include("foot.inc"); ?>
diff --git a/src/usr/local/www/status_logs_filter.php b/src/usr/local/www/status_logs_filter.php
index 18b048c..f482e78 100644
--- a/src/usr/local/www/status_logs_filter.php
+++ b/src/usr/local/www/status_logs_filter.php
@@ -267,7 +267,7 @@ if (!$rawfilter) {
 						<i class="fa fa-info icon-pointer icon-primary" onclick="javascript:resolve_with_ajax('<?="{$rawsrcip}"; ?>');" title="<?=gettext("Click to resolve")?>">
 						</i>
 
-						<a class="fa fa-minus-square-o icon-pointer icon-primary" href="easyrule.php?<?="action=block&amp;int={$int}&amp;src={$filterent['srcip']}&amp;ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Add to Block List")?>" onclick="return confirm('<?=gettext("Confirmation required to add this BLOCK rule.")?>')">
+						<a class="fa fa-minus-square-o icon-pointer icon-primary" href="easyrule.php?<?="action=block&amp;int={$int}&amp;src={$filterent['srcip']}&amp;ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Add to Block List")?>">
 						</a>
 
 						<?=$srcstr . '<span class="RESOLVE-' . $src_htmlclass . '"></span>'?>
@@ -276,7 +276,7 @@ if (!$rawfilter) {
 						<i class="fa fa-info icon-pointer icon-primary; ICON-<?= $dst_htmlclass; ?>" onclick="javascript:resolve_with_ajax('<?="{$rawdstip}"; ?>');" title="<?=gettext("Click to resolve")?>">
 						</i>
 
-						<a class="fa fa-plus-square-o icon-pointer icon-primary" href="easyrule.php?<?="action=pass&amp;int={$int}&amp;proto={$proto}&amp;src={$filterent['srcip']}&amp;dst={$filterent['dstip']}&amp;dstport={$filterent['dstport']}&amp;ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Pass this traffic")?>" onclick="return confirm('<?=gettext("Confirmation required to add this PASS rule.")?>')">
+						<a class="fa fa-plus-square-o icon-pointer icon-primary" href="easyrule.php?<?="action=pass&amp;int={$int}&amp;proto={$proto}&amp;src={$filterent['srcip']}&amp;dst={$filterent['dstip']}&amp;dstport={$filterent['dstport']}&amp;ipproto={$ipproto}"; ?>" title="<?=gettext("Easy Rule: Pass this traffic")?>">
 						</a>
 						<?=$dststr . '<span class="RESOLVE-' . $dst_htmlclass . '"></span>'?>
 					</td>
-- 
cgit v1.1