From 612230234f2522c2c370a1ed3ffd8bb969b50397 Mon Sep 17 00:00:00 2001
From: Ermal <eri@pfsense.org>
Date: Thu, 24 Jan 2013 10:09:06 +0000
Subject: Validate before taking the input and do anything with it

---
 usr/local/www/vpn_pppoe.php      | 3 ++-
 usr/local/www/vpn_pppoe_edit.php | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

(limited to 'usr/local/www')

diff --git a/usr/local/www/vpn_pppoe.php b/usr/local/www/vpn_pppoe.php
index 03547d9..1b67ef2 100755
--- a/usr/local/www/vpn_pppoe.php
+++ b/usr/local/www/vpn_pppoe.php
@@ -75,7 +75,8 @@ if ($_GET['act'] == "del") {
 	if ($a_pppoes[$_GET['id']]) {
 		if ("{$g['varrun_path']}/pppoe" . $a_pppoes[$_GET['id']]['pppoeid'] . "-vpn.pid")
 			killbypid("{$g['varrun_path']}/pppoe" . $a_pppoes[$_GET['id']]['pppoeid'] . "-vpn.pid");
-		mwexec("/bin/rm -r {$g['varetc_path']}/pppoe" . $a_pppoes[$_GET['id']]['pppoeid']);
+		if (is_dir({$g['varetc_path']}/pppoe" . $a_pppoes[$_GET['id']]['pppoeid']))
+			mwexec("/bin/rm -r {$g['varetc_path']}/pppoe" . $a_pppoes[$_GET['id']]['pppoeid']);
 		unset($a_pppoes[$_GET['id']]);
 		write_config();
 		header("Location: vpn_pppoe.php");
diff --git a/usr/local/www/vpn_pppoe_edit.php b/usr/local/www/vpn_pppoe_edit.php
index 0919904..9afe2f5 100755
--- a/usr/local/www/vpn_pppoe_edit.php
+++ b/usr/local/www/vpn_pppoe_edit.php
@@ -145,6 +145,9 @@ if ($_POST) {
 		}
 	}
 
+	if ($_POST['pppoeid'] && !is_numeric($_POST['pppoeid']))
+		$input_errors[] = gettext("Wrong data submitted");
+
 	if (!$input_errors) {
 		$pppoecfg = array();
 
-- 
cgit v1.1