From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-1081-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4cXWKx0xxHz377g
	for <archive@lists.ipfire.org>; Thu, 25 Sep 2025 11:13:25 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4cXWKp1wVbz334Y
	for <development@lists.ipfire.org>; Thu, 25 Sep 2025 11:13:18 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4cXWKn2L1wz3xH;
	Thu, 25 Sep 2025 11:13:17 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1758798797;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=SjlXYQB0lUDlKpbMqukYfqaHCaUdACGG1Q8iBitGzbg=;
	b=D5SwQ8iMz2Y94nw29DYuoDhicNq37p/qlxEZKlFw4lBUfC7YB2iWRguHzTTZ24bFAYJRnB
	v0xW1B+dZxnOvCDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1758798797;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=SjlXYQB0lUDlKpbMqukYfqaHCaUdACGG1Q8iBitGzbg=;
	b=Uu/+j5DoYb4D9ev0/b6W/BC3iGRm1LEm6bZbRo0gwO0Z6JmfQXnxV7UQP0q0ORo0z7YD/0
	Ckc7fdOh2NYJQXye9ofHcr7B5lw89Rn/fq3f0nLyinpHplinh/cQzSASDqs3qS9+oV9rGD
	xKmsOP7MSVa372QNLUJMiPE3h3CgDCKVmKHJyslIC7DwMc92AvOZVpAXcEpmkywg8be5eC
	hsuxkQo62afmHG+1HTb4KZed7wsKBQ2FYaWgaPjiS8YY2ilAqxrap/MKNyzyd+DLoEfqM1
	X4ThRSL7daNe/wa/WLN0dYq6L9Db61iD5oynjdOxJ/sxxT9FmqfJ3ttdID+dDg==
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Cc: Adolf Belka <adolf.belka@ipfire.org>
Subject: [PATCH 11/16] urlfilter.cgi: Fixes bugs 13887, 13888 & 13889
Date: Thu, 25 Sep 2025 13:12:47 +0200
Message-ID: <20250925111252.11893-11-adolf.belka@ipfire.org>
In-Reply-To: <20250925111252.11893-1-adolf.belka@ipfire.org>
References: <20250925111252.11893-1-adolf.belka@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Fixes: bug 13887 - urlfilter.cgi BE_NAME Command Injection
Fixes: bug 13888 - urlfilter.cgi USERQUOTA QUOTA_USERS Stored Cross-Site Scripting
Fixes: bug 13889 - urlfilter.cgi TIMECONSTRAINT SRC DST COMMENT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/urlfilter.cgi | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/html/cgi-bin/urlfilter.cgi b/html/cgi-bin/urlfilter.cgi
index 1ced06e26..2467f297c 100644
--- a/html/cgi-bin/urlfilter.cgi
+++ b/html/cgi-bin/urlfilter.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2005-2010  IPFire Team                                        #
+# Copyright (C) 2005-2025  IPFire Team                                        #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -576,7 +576,7 @@ if (($uqsettings{'MODE'} eq 'USERQUOTA') && ($uqsettings{'ACTION'} eq $Lang::tr{
 
 	$_  = $uqsettings{'QUOTA_USERS'};
 	chomp; s/\n/|/g;
-	my $quota_users = $_;
+	my $quota_users = &Header::escape($_);
 
 	if ($uqsettings{'QUOTA_USERS'} =~ /\\/)
 	{
@@ -936,6 +936,11 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter install blacklist'}) && ($bes
 		close FILE;
 
 		# XXX uses globbing
+		if(!($besettings{'BE_NAME'} =~ /^[a-zA-Z0-9-_]+$/))
+		{
+			$errormessage = 'Invalid blacklist name (use only alphanumeric characters plus hyphens or underscores)';
+			goto ERROR;
+		}
 		system("rm -f $dbdir/$besettings{'BE_NAME'}/*.db");
 		&General::system("/usr/bin/squidGuard", "-c", "$editdir/install.conf", "-C", "all");
 		# XXX uses globbing
@@ -2047,6 +2052,10 @@ foreach $line (@tclist)
 	if ($temp[7] eq 'on') { $time.=$Lang::tr{'urlfilter sun'}; } else { $time.='='; }
 	$time=$time.' &nbsp; '.$temp[8].':'.$temp[9].' to '.$temp[10].':'.$temp[11];
 
+	$temp[12] = &Header::escape($temp[12]);
+	$temp[13] = &Header::escape($temp[13]);
+	$temp[16] = &Header::escape($temp[16]);
+
 print <<END
 		<td align='center'>$temp[0]</td>
 		<td align='center' nowrap>$time</td>
-- 
2.51.0