From 4fe9c2dcf1c90253b2b6a70e67b06c76ff251b35 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Wed, 10 Nov 2010 11:56:23 -0500
Subject: * Adding function get_configured_ip_addresses() which returns all
 interfaces and their configured IP address * Add checkbox to System ->
 Advanced -> Admin for HTTP_REFERER checks * Add and enforce HTTP_REFERER
 check if checkbox is not checked.

This will prevent HTML pages from crafting HTML GETs against the web interface and will prevent firewall admins from being "tricked" into clicking on links that may be harmful to their firewall.
---
 etc/inc/auth.inc | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 13ca678..e7484c1 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -86,6 +86,32 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
 	}
 }
 
+// If the HTTP_REFERER is something other than ourselves then disallow.
+if(!$config['system']['nohttpreferercheck']) {
+	if($_SERVER['HTTP_REFERER']) {
+		$found_host = false;
+		$hostname_me = $config['system']['hostname'] . "." . $config['system']['domain'];
+		if(stristr($_SERVER['HTTP_REFERER'], $hostname_me))
+			$found_host = true;
+		if(!empty($config['system']['webgui']['althostnames'])) {
+			$althosts = explode(" ", $config['system']['webgui']['althostnames']);
+			foreach ($althosts as $ah)
+				if(stristr($ah, $hostname_me))
+					$found_host = true;
+		}
+		$interface_list_ips = get_configured_ip_addresses();
+		foreach($interface_list_ips as $ilips) {
+			$hostname_me_ip = $config['webgui']['protocol'] . "://" . $ilips;
+			if(stristr($hostname_me_ip, $ilips)) 
+				$found_host = true;
+		}
+		if($found_host == false) {
+			display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . $_SERVER['HTTP_REFERER'] . ").  You can disable this check if needed in System -> Advanced -> Admin.");
+			exit;
+		}
+	}
+}
+
 $groupindex = index_groups();
 $userindex = index_users();
 
-- 
cgit v1.1


From 9734b0545e77614ec89f3848432212a809fb9a26 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Wed, 10 Nov 2010 12:00:32 -0500
Subject: Remove trailing carriage return

---
 etc/inc/auth.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index e7484c1..d4e0875 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -1270,4 +1270,4 @@ function session_auth() {
 	return true;
 }
 
-?>
+?>
\ No newline at end of file
-- 
cgit v1.1


From 0bb2879551389e31286ee1a9b56071273a8a5e33 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Wed, 10 Nov 2010 12:45:49 -0500
Subject: Correct HTTP_REFERER check when using an IP Address vs the Firewalls
 hostname

---
 etc/inc/auth.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index d4e0875..443c9dc 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -102,7 +102,7 @@ if(!$config['system']['nohttpreferercheck']) {
 		$interface_list_ips = get_configured_ip_addresses();
 		foreach($interface_list_ips as $ilips) {
 			$hostname_me_ip = $config['webgui']['protocol'] . "://" . $ilips;
-			if(stristr($hostname_me_ip, $ilips)) 
+			if(stristr($_SERVER['HTTP_REFERER'],$hostname_me_ip)) 
 				$found_host = true;
 		}
 		if($found_host == false) {
-- 
cgit v1.1


From 4656943e59eb19a534c06cc253e266da6c52e915 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Fri, 12 Nov 2010 11:35:02 -0500
Subject: Fix a theoretical/potential XSS in the http_referer check warning.

---
 etc/inc/auth.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 443c9dc..3628436 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -106,7 +106,7 @@ if(!$config['system']['nohttpreferercheck']) {
 				$found_host = true;
 		}
 		if($found_host == false) {
-			display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . $_SERVER['HTTP_REFERER'] . ").  You can disable this check if needed in System -> Advanced -> Admin.");
+			display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . ").  You can disable this check if needed in System -> Advanced -> Admin.");
 			exit;
 		}
 	}
-- 
cgit v1.1


From 856d2bf957e10c98597a29135337b5bd35899893 Mon Sep 17 00:00:00 2001
From: Erik Fonnesbeck <efonnes@gmail.com>
Date: Sat, 13 Nov 2010 23:00:43 -0700
Subject: Unset this reference before reusing the variable name to prevent
 corruption of groups.

---
 etc/inc/auth.inc | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 3628436..84b73dc 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -475,6 +475,7 @@ function local_user_set_groups($user, $new_groups = NULL ) {
 		$group['member'][] = $user['uid'];
 		$mod_groups[] = $group;
 	}
+	unset($group);
 
 	/* determine which memberships to remove */
 	foreach ($cur_groups as $groupname) {
@@ -489,6 +490,7 @@ function local_user_set_groups($user, $new_groups = NULL ) {
 			$mod_groups[] = $group;
 		}
 	}
+	unset($group);
 
 	/* sync all modified groups */
 	foreach ($mod_groups as $group)
-- 
cgit v1.1


From 0aa72c108dd7d15f9bac62bf22eef0924c717b0d Mon Sep 17 00:00:00 2001
From: Erik Fonnesbeck <efonnes@gmail.com>
Date: Sun, 14 Nov 2010 04:05:40 -0700
Subject: Don't perform referer check if display_error_form is not defined
 (captive portal), just like as is done for the DNS rebind check. Ticket #1007

---
 etc/inc/auth.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 84b73dc..dbd8a3e 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -87,7 +87,7 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
 }
 
 // If the HTTP_REFERER is something other than ourselves then disallow.
-if(!$config['system']['nohttpreferercheck']) {
+if(function_exists("display_error_form") && !$config['system']['nohttpreferercheck']) {
 	if($_SERVER['HTTP_REFERER']) {
 		$found_host = false;
 		$hostname_me = $config['system']['hostname'] . "." . $config['system']['domain'];
-- 
cgit v1.1


From 55068970f26911be51fe40eae5264df4ea0b29f5 Mon Sep 17 00:00:00 2001
From: Erik Fonnesbeck <efonnes@gmail.com>
Date: Mon, 15 Nov 2010 18:31:30 -0700
Subject: Fix case for testing the referrer check setting. Ticket #1011

---
 etc/inc/auth.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index dbd8a3e..1872ee8 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -87,7 +87,7 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][
 }
 
 // If the HTTP_REFERER is something other than ourselves then disallow.
-if(function_exists("display_error_form") && !$config['system']['nohttpreferercheck']) {
+if(function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) {
 	if($_SERVER['HTTP_REFERER']) {
 		$found_host = false;
 		$hostname_me = $config['system']['hostname'] . "." . $config['system']['domain'];
-- 
cgit v1.1


From e6b960ccffd51fd6a2ad190760f029608051f478 Mon Sep 17 00:00:00 2001
From: Erik Fonnesbeck <efonnes@gmail.com>
Date: Mon, 15 Nov 2010 20:56:47 -0700
Subject: Make sure this isn't searching the referrer using a blank host or IP,
 which will always match the referrer.

---
 etc/inc/auth.inc | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'etc/inc/auth.inc')

diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 1872ee8..b966af3 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -95,15 +95,24 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui']['
 			$found_host = true;
 		if(!empty($config['system']['webgui']['althostnames'])) {
 			$althosts = explode(" ", $config['system']['webgui']['althostnames']);
-			foreach ($althosts as $ah)
-				if(stristr($ah, $hostname_me))
+			foreach ($althosts as $ah) {
+				if(empty($ah))
+					continue;
+				if(stristr($ah, $hostname_me)) {
 					$found_host = true;
+					break;
+				}
+			}
 		}
 		$interface_list_ips = get_configured_ip_addresses();
 		foreach($interface_list_ips as $ilips) {
+			if(empty($ilips))
+				continue;
 			$hostname_me_ip = $config['webgui']['protocol'] . "://" . $ilips;
-			if(stristr($_SERVER['HTTP_REFERER'],$hostname_me_ip)) 
+			if(stristr($_SERVER['HTTP_REFERER'],$hostname_me_ip)) {
 				$found_host = true;
+				break;
+			}
 		}
 		if($found_host == false) {
 			display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . ").  You can disable this check if needed in System -> Advanced -> Admin.");
-- 
cgit v1.1