Hi,

On Sat, 2017-11-11 at 10:45 +0100, Erik Kapfer wrote:
> - If the OpenSSL maximum of '999999' will be exceeded over the WUI, the entry in
> 	OpenVPNs database index.txt will be written without a timestamp
> 	and crashes the database which blocks the creation of new clients.
> 	To prevent this, a check has been set which restricts the data field
> 	of 'valid til days' to '6' numerics.
> 
> Fixes: #10482
> ---
>  html/cgi-bin/ovpnmain.cgi | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 
> diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
> index ceb88c1..8f45f04 100644
> --- a/html/cgi-bin/ovpnmain.cgi
> +++ b/html/cgi-bin/ovpnmain.cgi
> @@ -4039,6 +4039,14 @@ if ($cgiparams{'TYPE'} eq 'net') {
>        		goto VPNCONF_ERROR;
>  	}
>  
> +	# Check that OpenSSL maximum of valid days won´t be exceeded
> +	if (length($cgiparams{'DAYS_VALID'}) > 6) {
> +		$errormessage = $Lang::tr{'invalid input for valid till days'};
> +		unlink ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}/$cgiparams{'NAME'}.conf") or die "Removing Configfile fail: $!";
> +		rmdir ("${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}") || die "Removing Directory fail: $!";
> +		goto VPNCONF_ERROR;
> +	}
> +

I think it would be better just to check if DAYS_VALID is less then
999999. Checking the length of the string wasn't really obvious for me
what was actually going to be achieved here.

>  	if ($cgiparams{'ENABLED'} !~ /^(on|off)$/) {
>  	    $errormessage = $Lang::tr{'invalid input'};
>  	    goto VPNCONF_ERROR;
> @@ -4221,6 +4229,12 @@ if ($cgiparams{'TYPE'} eq 'net') {
>  		goto VPNCONF_ERROR;
>  	    }
>  
> +		# Check that OpenSSL maximum of valid days won´t be exceeded
> +		if (length($cgiparams{'DAYS_VALID'}) > 6) {
> +			$errormessage = $Lang::tr{'invalid input for valid till days'};
> +			goto VPNCONF_ERROR;
> +		}
> +
>  	    # Replace empty strings with a .
>  	    (my $ou = $cgiparams{'CERT_OU'}) =~ s/^\s*$/\./;
>  	    (my $city = $cgiparams{'CERT_CITY'}) =~ s/^\s*$/\./;

-Michael