From b45babaeb55ac039f498d13ce556f2d04d4db1f4 Mon Sep 17 00:00:00 2001 From: Evgeny Yurchenko Date: Fri, 27 May 2011 21:55:22 +0000 Subject: Bug #1403. Filter Rules description do not get saved when "(quote) present as character --- usr/local/www/firewall_nat_1to1_edit.php | 9 +++++++++ usr/local/www/firewall_nat_edit.php | 17 +---------------- usr/local/www/firewall_nat_out_edit.php | 9 +++++++++ 3 files changed, 19 insertions(+), 16 deletions(-) (limited to 'usr/local/www') diff --git a/usr/local/www/firewall_nat_1to1_edit.php b/usr/local/www/firewall_nat_1to1_edit.php index e9f4577..135d0e9 100755 --- a/usr/local/www/firewall_nat_1to1_edit.php +++ b/usr/local/www/firewall_nat_1to1_edit.php @@ -99,6 +99,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface external"); diff --git a/usr/local/www/firewall_nat_edit.php b/usr/local/www/firewall_nat_edit.php index 9895312..970720e 100755 --- a/usr/local/www/firewall_nat_edit.php +++ b/usr/local/www/firewall_nat_edit.php @@ -101,6 +101,7 @@ if (isset($_GET['dup'])) /* run through $_POST items encoding HTML entties so that the user * cannot think he is slick and perform a XSS attack on the unwilling */ +unset($input_errors); foreach ($_POST as $key => $value) { $temp = $value; $newpost = htmlentities($temp); @@ -173,7 +174,6 @@ if ($_POST) { $_POST['dsttype'] = "single"; } - unset($input_errors); $pconfig = $_POST; /* input validation */ @@ -290,9 +290,6 @@ if ($_POST) { } } - // Allow extending of the nat edit page and include custom input validation - pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/input_validation"); - if (!$input_errors) { $natent = array(); @@ -425,9 +422,6 @@ if ($_POST) { mark_subsystem_dirty('natconf'); - // Allow extending of the nat edit page and include custom input validation - pfSense_handle_custom_code("/usr/local/pkg/firewall_nat/pre_write_config"); - write_config(); header("Location: firewall_nat.php"); @@ -446,11 +440,6 @@ include("fbegin.inc"); ?>
- - @@ -828,10 +817,6 @@ include("fbegin.inc"); ?> - diff --git a/usr/local/www/firewall_nat_out_edit.php b/usr/local/www/firewall_nat_out_edit.php index 4d960f2..5057ea8 100755 --- a/usr/local/www/firewall_nat_out_edit.php +++ b/usr/local/www/firewall_nat_out_edit.php @@ -115,6 +115,15 @@ if ($_POST) { unset($input_errors); $pconfig = $_POST; + /* run through $_POST items encoding HTML entties so that the user + * cannot think he is slick and perform a XSS attack on the unwilling + */ + foreach ($_POST as $key => $value) { + $temp = str_replace(">", "", $value); + $newpost = htmlentities($temp); + if($newpost <> $temp) + $input_errors[] = sprintf(gettext("Invalid characters detected (%s). Please remove invalid characters and save again."),$temp); + } /* input validation */ $reqdfields = explode(" ", "interface protocol source source_subnet destination destination_subnet"); -- cgit v1.1