From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <development+bounces-1329-archive=lists.ipfire.org@lists.ipfire.org>
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4d7qVM2VsXz2yqQ
	for <archive@lists.ipfire.org>; Sat, 15 Nov 2025 10:09:15 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [IPv6:2001:678:b28::25])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4d7qVH6q8Dz2y1D
	for <development@lists.ipfire.org>; Sat, 15 Nov 2025 10:09:11 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4d7qVF6z0SzD2;
	Sat, 15 Nov 2025 10:09:09 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1763201350;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=wqkGpS3ytlNQQBwj05ybnwsS+jHB7AbXgnY2s+1sVgo=;
	b=85QCE7EDItuyeqj6kuIx71wkixAPgYO8v2qDXYuZXlQJu0Iiw/WGXTs+E9WWjdNC8jeiJ5
	2bSEubfg5ekntmBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa;
	t=1763201350;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=wqkGpS3ytlNQQBwj05ybnwsS+jHB7AbXgnY2s+1sVgo=;
	b=YiuAahtnbmgAA+6I1eJABFomX2yjEb/lxPDkCjP7ss8sHnL9wibXinbNUHSC2RnzKbflGK
	CdAiPy/OHI/0vZMcToR92TSZUFMg8I+Z2lxXGYIQLwcjEE1y3Hj66Ecc+oZtn62fTCx1tp
	NcDZy+hbzAZroL+9NAL6DDJIMiANfpFEzp9XKb7kbYR4XJAIZx4pIytgEbXDYZ41Xj8Ddf
	GLZxwl8VZ1XnNkDpu/gb/nro3BiozcCJUwCadYyJP1VWWAztfkK0Lsts6Q4WPqc9nd5LOR
	xXda419+ydKC6M1f4YsM06NKr95z+TDL6jIO4k56e26jdgvRhI1yzf2fb0xETg==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Subject: [PATCH 1/3] lldp.cgi: Add mission validation for description field
Date: Sat, 15 Nov 2025 11:07:56 +0100
Message-ID: <20251115100758.7039-1-stefan.schantl@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 html/cgi-bin/lldp.cgi | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/html/cgi-bin/lldp.cgi b/html/cgi-bin/lldp.cgi
index 755d3dc46..9e30faa92 100644
--- a/html/cgi-bin/lldp.cgi
+++ b/html/cgi-bin/lldp.cgi
@@ -46,8 +46,13 @@ if ($cgiparams{"ACTION"} eq $Lang::tr{'save'}) {
 		$settings{'ENABLED'} = $cgiparams{'ENABLED'};
 	}
 
-	# XXX Validate the description
-	$settings{"DESCRIPTION"} = $cgiparams{"DESCRIPTION"};
+	# Validate the description
+	if (($cgiparams{"DESCRIPTION"} eq "") || ($cgiparams{"DESCRIPTION"} =~ /^[A-Za-z0-9_\-]+$/)) {
+		$settings{"DESCRIPTION"} = $cgiparams{"DESCRIPTION"};
+	} else {
+		# Add error message about invalid characters in description.
+		push(@errormessages, "$Lang::tr{'lldp invalid description'}");
+	}
 
 	# Don't continue on error
 	goto MAIN if (scalar @errormessages);
@@ -81,6 +86,9 @@ MAIN:
 		"ENABLED" => ($settings{"ENABLED"} eq "on") ? "checked" : "",
 	);
 
+	# Description field, defaults to CGI input otherwise use configured description.
+	my $description = $cgiparams{'DESCRIPTION'} // $settings{'DESCRIPTION'};
+
 	print <<END;
 		<form method="POST" action="">
 			<table class="form">
@@ -94,7 +102,7 @@ MAIN:
 				<tr>
 					<td>$Lang::tr{'description'}</td>
 					<td>
-						<input type="text" name="DESCRIPTION" value="$settings{'DESCRIPTION'}" />
+						<input type="text" name="DESCRIPTION" value="$description" />
 					</td>
 				</tr>
 
-- 
2.47.3