From 4fe9c2dcf1c90253b2b6a70e67b06c76ff251b35 Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Wed, 10 Nov 2010 11:56:23 -0500
Subject: * Adding function get_configured_ip_addresses() which returns all
 interfaces and their configured IP address * Add checkbox to System ->
 Advanced -> Admin for HTTP_REFERER checks * Add and enforce HTTP_REFERER
 check if checkbox is not checked.

This will prevent HTML pages from crafting HTML GETs against the web interface and will prevent firewall admins from being "tricked" into clicking on links that may be harmful to their firewall.
---
 usr/local/www/system_advanced_admin.php | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'usr/local/www/system_advanced_admin.php')

diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php
index f34d1c7..7875802 100644
--- a/usr/local/www/system_advanced_admin.php
+++ b/usr/local/www/system_advanced_admin.php
@@ -3,7 +3,7 @@
 /*
 	system_advanced_admin.php
 	part of pfSense
-	Copyright (C) 2005-2007 Scott Ullrich
+	Copyright (C) 2005-2010 Scott Ullrich
 
 	Copyright (C) 2008 Shrew Soft Inc
 
@@ -56,6 +56,7 @@ $pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttp
 $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']);
 $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']);
 $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']);
+$pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']);
 $pconfig['althostnames'] = $config['system']['webgui']['althostnames'];
 $pconfig['enableserial'] = $config['system']['enableserial'];
 $pconfig['enablesshd'] = $config['system']['enablesshd'];
@@ -140,6 +141,11 @@ if ($_POST) {
 		else
 			unset($config['system']['webgui']['nodnsrebindcheck']);
 
+		if ($_POST['nohttpreferercheck'] == "yes")
+			$config['system']['webgui']['nohttpreferercheck'] = true;
+		else
+			unset($config['system']['webgui']['nohttpreferercheck']);
+
 		if ($_POST['althostnames'])
 			$config['system']['webgui']['althostnames'] = $_POST['althostnames'];
 		else
@@ -360,6 +366,18 @@ function prot_change() {
 								</td>
 							</tr>
 							<tr>
+								<td width="22%" valign="top" class="vncell"><?=gettext("Browser HTTP_REFERER enforcement"); ?></td>
+								<td width="78%" class="vtable">
+									<input name="nohttpreferercheck" type="checkbox" id="nohttpreferercheck" value="yes" <?php if ($pconfig['nohttpreferercheck']) echo "checked"; ?> />
+									<strong><?=gettext("Disable HTTP_REFERER enforcement check"); ?></strong>
+									<br/>
+									<?php echo gettext("When this is unchecked, access to the webConfigurator " .
+									"is protected against HTTP_REFERER redirection attempts. " .
+									"Check this box to disable this protection if you find that it interferes with " .
+									"webConfigurator access in certain corner cases such as using 3rd party scripts to interact with pfSense. More information on HTTP_REFERER is available from <a href='http://en.wikipedia.org/wiki/HTTP_referrer'>Wikipedia</a>."); ?>
+								</td>
+							</tr>
+							<tr>
 								<td colspan="2" class="list" height="12">&nbsp;</td>
 							</tr>
 							<tr>
-- 
cgit v1.1