From 0e782e9f576aee02d4e2e5147e24bc5def261355 Mon Sep 17 00:00:00 2001
From: stilez <stilez@users.noreply.github.com>
Date: Thu, 15 Sep 2016 10:50:31 +0100
Subject: Improve icmptype input sanitising

---
 src/usr/local/www/firewall_rules_edit.php | 35 +++++++++++++++++++------------
 1 file changed, 22 insertions(+), 13 deletions(-)

(limited to 'src/usr/local/www/firewall_rules_edit.php')

diff --git a/src/usr/local/www/firewall_rules_edit.php b/src/usr/local/www/firewall_rules_edit.php
index 4ddfeed..1f1c320 100644
--- a/src/usr/local/www/firewall_rules_edit.php
+++ b/src/usr/local/www/firewall_rules_edit.php
@@ -575,21 +575,30 @@ if ($_POST) {
 	}
 
 	if ($_POST['proto'] == "icmp") {
-		$t = $_POST['icmptype'];
-		$bad_types = array();
-		if (is_array($t) && ((count($t) == 1 && !isset($t['any'])) || count($t) > 1)) {
-			// Only need to check valid if just one selected != "any", or >1 selected
-			$p = $_POST['ipprotocol'];
-			foreach ($t as $type) {
-				if (	($p == 'inet' && !array_key_exists($type, $icmptypes4)) || 
-					($p == 'inet6' && !array_key_exists($type, $icmptypes6)) || 
-					($p == 'inet46' && !array_key_exists($type, $icmptypes46))) {
-						$bad_types[] = $type;
+		$t =& $_POST['icmptype'];
+		if (isset($t) && !is_array($t)) {
+			// shouldn't happen but avoids making assumptions for data-sanitising
+			$input_errors[] = gettext("ICMP types expected to be a list if present, but is not.");
+		} elseif (!isset($t) || count($t) == 0) {
+			// not specified or none selected
+			unset($_POST['icmptype']);
+		} else {
+			// check data
+			$bad_types = array();
+			if ((count($t) == 1 && !isset($t['any'])) || count($t) > 1) {
+				// Only need to check valid if just one selected != "any", or >1 selected
+				$p = $_POST['ipprotocol'];
+				foreach ($t as $type) {
+					if (	($p == 'inet' && !array_key_exists($type, $icmptypes4)) || 
+						($p == 'inet6' && !array_key_exists($type, $icmptypes6)) || 
+						($p == 'inet46' && !array_key_exists($type, $icmptypes46))) {
+							$bad_types[] = $type;
+					}
 				}
 			}
-		}
-		if (count($bad_types) > 0) {
-			$input_errors[] = sprintf(gettext("Invalid ICMP subtype: %s can not be used with %s."), implode(';', $bad_types),  $t['name']);
+			if (count($bad_types) > 0) {
+				$input_errors[] = sprintf(gettext("Invalid ICMP subtype: %s can not be used with %s."), implode(';', $bad_types),  $t['name']);
+			}
 		}
 	} else {
 		unset($_POST['icmptype']); // field not applicable, might hold junk from old hidden selections. Unset it.
-- 
cgit v1.1