From 36f509579fd40903299477ffd4a4900e57786d73 Mon Sep 17 00:00:00 2001
From: Ermal <eri@pfsense.org>
Date: Tue, 20 Nov 2012 09:19:47 +0000
Subject: Allow only post action and not get to avoid security problems

---
 usr/local/www/edit.php | 27 ++++++++++++---------------
 1 file changed, 12 insertions(+), 15 deletions(-)

(limited to 'usr')

diff --git a/usr/local/www/edit.php b/usr/local/www/edit.php
index 56088b4..a87dfa4 100644
--- a/usr/local/www/edit.php
+++ b/usr/local/www/edit.php
@@ -36,46 +36,43 @@
 ##|*MATCH=edit.php*
 ##|-PRIV
 
-if($_REQUEST['action'] === "load" || $_REQUEST['action'] === "save")
-	$nocsrf = true;
-
 $pgtitle = array(gettext("Diagnostics"), gettext("Edit file"));
 require("guiconfig.inc");
 
-if($_REQUEST['action']) {
-	switch($_REQUEST['action']) {
+if($_POST['action']) {
+	switch($_POST['action']) {
 		case 'load':
-			if(strlen($_REQUEST['file']) < 1) {
+			if(strlen($_POST['file']) < 1) {
 				echo "|5|" . gettext("No file name specified") . ".|";
-			} elseif(is_dir($_REQUEST['file'])) {
+			} elseif(is_dir($_POST['file'])) {
 				echo "|4|" . gettext("Loading a directory is not supported") . ".|";
-			} elseif(! is_file($_REQUEST['file'])) {
+			} elseif(! is_file($_POST['file'])) {
 				echo "|3|" . gettext("File does not exist or is not a regular file") . ".|";
 			} else {
-				$data = file_get_contents(urldecode($_REQUEST['file']));
+				$data = file_get_contents(urldecode($_POST['file']));
 				if($data === false) {
 					echo "|1|" . gettext("Failed to read file") . ".|";
 				} else {
-					echo "|0|{$_REQUEST['file']}|{$data}|";	
+					echo "|0|{$_POST['file']}|{$data}|";	
 				}
 			}
 			exit;
 		case 'save':
-			if(strlen($_REQUEST['file']) < 1) {
+			if(strlen($_POST['file']) < 1) {
 				echo "|" . gettext("No file name specified") . ".|";
 			} else {
 				conf_mount_rw();
-				$_REQUEST['data'] = str_replace("\r", "", base64_decode($_REQUEST['data']));
-				$ret = file_put_contents($_REQUEST['file'], $_REQUEST['data']);
+				$_POST['data'] = str_replace("\r", "", base64_decode($_POST['data']));
+				$ret = file_put_contents($_POST['file'], $_POST['data']);
 				conf_mount_ro();
-				if($_REQUEST['file'] == "/conf/config.xml" || $_REQUEST['file'] == "/cf/conf/config.xml") {
+				if($_POST['file'] == "/conf/config.xml" || $_POST['file'] == "/cf/conf/config.xml") {
 					if(file_exists("/tmp/config.cache"))
 						unlink("/tmp/config.cache");
 					disable_security_checks();
 				}
 				if($ret === false) {
 					echo "|" . gettext("Failed to write file") . ".|";
-				} elseif($ret <> strlen($_REQUEST['data'])) {
+				} elseif($ret <> strlen($_POST['data'])) {
 					echo "|" . gettext("Error while writing file") . ".|";
 				} else {
 					echo "|" . gettext("File successfully saved") . ".|";
-- 
cgit v1.1