From f71e0ac64d69f423ae202afa93cb13b745ccff99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20Lu=E7i?= Date: Mon, 30 Nov 2009 06:06:40 +0000 Subject: Resolves #138 Add propper input validation to aliases. Do not allow to nested different types of aliases. Do not allow on ports to enter something that is not in the range 0-65535. --- usr/local/www/firewall_aliases_edit.php | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/usr/local/www/firewall_aliases_edit.php b/usr/local/www/firewall_aliases_edit.php index 307a544..7324523 100755 --- a/usr/local/www/firewall_aliases_edit.php +++ b/usr/local/www/firewall_aliases_edit.php @@ -250,14 +250,23 @@ if ($_POST) { } $final_address_details .= "||"; $isfirst++; - } - if (is_alias($_POST["address{$x}"])) { - if (!alias_same_type($_POST["address{$x}"], $_POST['type'])) - $wrongaliases .= " " . $_POST["address{$x}"]; + + if (is_alias($_POST["address{$x}"])) { + if (!alias_same_type($_POST["address{$x}"], $_POST['type'])) + $wrongaliases .= " " . $_POST["address{$x}"]; + } else if ($_POST['type'] == "port") { + if (preg_match("/[^[[:digit:]]]/", $_POST["address{$x}"]) || strlen($_POST["address{$x}"]) > 5) + $input_errors[] = $_POST["address{$x}"] . " is not a valid {$_POST['type']} alias."; + else if (intval($_POST["address{$x}"]) < 0 || intval($_POST["address{$x}"]) > 65535) + $input_errors[] = $_POST["address{$x}"] . " is not a valid port alias."; + } else if ($_POST['type'] == "host" || $_POST['type'] == "network") { + if (!is_ipaddr($_POST["address{$x}"]) && !is_hostname($_POST["address{$x}"])) + $input_errors[] = $_POST["address{$x}"] . " is not a valid {$_POST['type']} alias."; + } } } if ($wrongaliases <> "") - $input_errors[] = "The following aliases: {$wrongaliases} \ncannot be nested cause they are not of the same type."; + $input_errors[] = "The alias(es): {$wrongaliases} \ncannot be nested cause they are not of the same type."; } if (!$input_errors) { -- cgit v1.1