From 034f08e7dd102c09e60184220927e6c5cba9f10c Mon Sep 17 00:00:00 2001
From: Scott Ullrich <sullrich@pfsense.org>
Date: Tue, 9 Nov 2010 11:38:27 -0500
Subject: Fix Misc XSS issues

---
 usr/local/www/diag_dump_states.php | 8 ++++----
 usr/local/www/fbegin.inc           | 2 +-
 usr/local/www/status_rrd_graph.php | 3 +--
 3 files changed, 6 insertions(+), 7 deletions(-)

(limited to 'usr')

diff --git a/usr/local/www/diag_dump_states.php b/usr/local/www/diag_dump_states.php
index a2009c9..69d8dfd 100755
--- a/usr/local/www/diag_dump_states.php
+++ b/usr/local/www/diag_dump_states.php
@@ -44,8 +44,8 @@ require_once("guiconfig.inc");
 /* handle AJAX operations */
 if($_GET['action']) {
 	if($_GET['action'] == "remove") {
-		$srcip  = $_GET['srcip'];
-		$dstip  = $_GET['dstip'];
+		$srcip  = escapeshellarg($_GET['srcip']);
+		$dstip  = escapeshellarg($_GET['dstip']);
 		if (is_ipaddr($srcip) and is_ipaddr($dstip)) {
 			$retval = mwexec("/sbin/pfctl -k '{$srcip}' -k '{$dstip}'");
 			echo htmlentities("|{$srcip}|{$dstip}|{$retval}|");
@@ -58,7 +58,7 @@ if($_GET['action']) {
 
 /* get our states */
 if($_GET['filter']) {
-	exec("/sbin/pfctl -s state | grep " . escapeshellarg($_GET['filter']), $states);
+	exec("/sbin/pfctl -s state | grep " . escapeshellarg(htmlspecialchars($_GET['filter'])), $states);
 }
 else {
 	exec("/sbin/pfctl -s state", $states);
@@ -135,7 +135,7 @@ include("head.inc");
 					<td><?=gettext("Current state count:");?> <?=$current_statecount?></td>
 					<td style="font-weight:bold;" align="right">
 						<?=gettext("Filter expression:");?>
-						<input type="text" name="filter" class="formfld search" value="<?=$_GET['filter'];?>" size="30" />
+						<input type="text" name="filter" class="formfld search" value="<?=htmlspecialchars($_GET['filter']);?>" size="30" />
 						<input type="submit" class="formbtn" value="<?=gettext("Filter");?>" />
 					<td>
 				</tr>
diff --git a/usr/local/www/fbegin.inc b/usr/local/www/fbegin.inc
index eb1c0aa..12f8428 100755
--- a/usr/local/www/fbegin.inc
+++ b/usr/local/www/fbegin.inc
@@ -221,7 +221,7 @@ if(! $g['disablehelpmenu']) {
 
 /* NOTICE ACKNOWLEDGE CODE by Erik Kristensen */
 if ($_REQUEST['noticeaction'] == 'acknowledge') {
-	$notice_id = $_REQUEST['noticeid'];
+	$notice_id = htmlspecialchars($_REQUEST['noticeid']);
 	close_notice($notice_id);
 }
 /**********************************************/
diff --git a/usr/local/www/status_rrd_graph.php b/usr/local/www/status_rrd_graph.php
index b4f6911..48f5734 100755
--- a/usr/local/www/status_rrd_graph.php
+++ b/usr/local/www/status_rrd_graph.php
@@ -54,7 +54,7 @@ $databases = glob("*.rrd");
 
 
 if ($_GET['cat']) {
-	$curcat = $_GET['cat'];
+	$curcat = htmlspecialchars($_GET['cat']);
 } else {
 	if(! empty($config['rrd']['category'])) {
 		$curcat = $config['rrd']['category'];
@@ -281,7 +281,6 @@ function get_dates($curperiod, $graph) {
 	return $dates;
 }
 
-
 ?>
 <body link="#0000CC" vlink="#0000CC" alink="#0000CC">
 <?php include("fbegin.inc"); ?>
-- 
cgit v1.1