From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. f7c4f7d2968be6c9b786b7f7e46fdb8ac96c8104
Date: Thu, 25 Sep 2025 15:37:36 +0000 (UTC) [thread overview]
Message-ID: <4cXdBm1pPZz2xqQ@people01.haj.ipfire.org> (raw)
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 49550 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via f7c4f7d2968be6c9b786b7f7e46fdb8ac96c8104 (commit)
via db042629c0cae5b78eeddb8a9db8783c557138b0 (commit)
via 89585e76a2cade43c5fa397f4e2b86f605439659 (commit)
via 83be14bba7e6867b20d277e52c5bca486aa43162 (commit)
via 82ad6e9bc3287577b0b72af71ea7651ba416b97b (commit)
via 61f447ff341d2f7720fb6c5b483cc9fb063e869c (commit)
via cfef9a3e61de89b076e1049949a6e1e44e2eb376 (commit)
via 1e14ff05e7112b8b41aafc930fe0988b827f0e1a (commit)
via b0e851295367cbaf7ce2331ae6d11a4a68ac5b66 (commit)
via e22ecef885c34462565ae20020a32a27d0585dc3 (commit)
via 4cf0694e55305e368c4ca28da2db7481c8f08c5a (commit)
via 98616a36c00b7fc845995c5cc4d8e301e58a20a7 (commit)
via 43b4ba3768db5e46b95c263accb5b26e90df8a08 (commit)
via 6863bfbd2fc251d10813561a920abb1da604b6e3 (commit)
via 25ad6a4849622b4ff09bae36ab1c859a75ef509e (commit)
via 3092a796c138c0b8b22563b68dd21d8e5e1c37e8 (commit)
via ff7f14e95e6198d5bd84f921228dd61e3a4e0a1e (commit)
via ff2f9862e7fc69412bb66255d2cf5f669166adeb (commit)
via 44edd825db300b68b8b01cd6ae23368503e3faa5 (commit)
via 63d971bf688ad70fc82e54aea7a31aa508cf4c28 (commit)
via 3e198e43a67421fa21b94b0c6dbb5ceb9314f293 (commit)
via fa97bae01cc2ada209e8559e48c25298fe628181 (commit)
via 811a5dca77ecaf9fcd73ecb4460f2ac9b668d266 (commit)
via f0015fefe6d2523c5bb9818fa6aeeb064f6e45db (commit)
via 47e9f8470ad5f8c134ad36e125bd7d6d78b61b7f (commit)
from aef18b86e9dffb68878719554fff6df033500c07 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit f7c4f7d2968be6c9b786b7f7e46fdb8ac96c8104
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:32:51 2025 +0200
proxy.cgi: Escape parameters in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit db042629c0cae5b78eeddb8a9db8783c557138b0
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:29:35 2025 +0200
dns.cgi: Validate the TLS hostname irregardless of TLS being used
That way, we won't have to perform escaping later on and can rely on
having a valid value.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 89585e76a2cade43c5fa397f4e2b86f605439659
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:19:59 2025 +0200
mail.cgi: Escape username/password in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 83be14bba7e6867b20d277e52c5bca486aa43162
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:12:20 2025 +0200
firewalllogcountry.dat: Escape pienumber in the correct place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 82ad6e9bc3287577b0b72af71ea7651ba416b97b
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:10:56 2025 +0200
firewalllogip.dat: Escape pienumber in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 61f447ff341d2f7720fb6c5b483cc9fb063e869c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:07:36 2025 +0200
ids.cgi: Escape the remark before sending it back to the browser
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit cfef9a3e61de89b076e1049949a6e1e44e2eb376
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:05:32 2025 +0200
fwhosts.cgi: Escape PROT in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 1e14ff05e7112b8b41aafc930fe0988b827f0e1a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:02:18 2025 +0200
fwhosts.cgi: Check country code before proceeding
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit b0e851295367cbaf7ce2331ae6d11a4a68ac5b66
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 16:37:27 2025 +0200
ddns.cgi: Escape the variables when they are being sent back to the browser
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit e22ecef885c34462565ae20020a32a27d0585dc3
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:52 2025 +0200
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 4cf0694e55305e368c4ca28da2db7481c8f08c5a
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:51 2025 +0200
proxy.cgi: Fixes bug 13893
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 98616a36c00b7fc845995c5cc4d8e301e58a20a7
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:50 2025 +0200
dns.cgi: Fixes bug 13892
Fixes: bug 13892 - dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 43b4ba3768db5e46b95c263accb5b26e90df8a08
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:49 2025 +0200
mail.cgi: Fixes bug 13891
Fixes: bug 13891 - mail.cgi txt_mailuser txt_mailpass Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6863bfbd2fc251d10813561a920abb1da604b6e3
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:48 2025 +0200
config.dat: Fixes bug 13890
Fixes: bug 13890 - config.dat REMOTELOG_ADDR Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 25ad6a4849622b4ff09bae36ab1c859a75ef509e
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:47 2025 +0200
urlfilter.cgi: Fixes bugs 13887, 13888 & 13889
Fixes: bug 13887 - urlfilter.cgi BE_NAME Command Injection
Fixes: bug 13888 - urlfilter.cgi USERQUOTA QUOTA_USERS Stored Cross-Site Scripting
Fixes: bug 13889 - urlfilter.cgi TIMECONSTRAINT SRC DST COMMENT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3092a796c138c0b8b22563b68dd21d8e5e1c37e8
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:46 2025 +0200
calamaris.dat: Fixes bug 13886
Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ff7f14e95e6198d5bd84f921228dd61e3a4e0a1e
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:45 2025 +0200
qos.cgi: Fixes bug 13885
Fixes: bug 13885 - qos.cgi INC_SPD OUT_SPD DEFCLASS_INC DEFCLASS_OUT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ff2f9862e7fc69412bb66255d2cf5f669166adeb
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:44 2025 +0200
ddns.cgi: Fixes bug 13884
Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 44edd825db300b68b8b01cd6ae23368503e3faa5
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:43 2025 +0200
time.cgi: Fixes bug 13883
Fixes: bug 13883 - time.cgi UPDATE_VALUE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 63d971bf688ad70fc82e54aea7a31aa508cf4c28
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:42 2025 +0200
firewalllogcountry.dat: Fixes bug 13882
Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3e198e43a67421fa21b94b0c6dbb5ceb9314f293
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:41 2025 +0200
firewalllogip.dat: Fixes bug 13881
Fixes: bug 13881 - firewalllogip.dat pienumber Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit fa97bae01cc2ada209e8559e48c25298fe628181
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:40 2025 +0200
header.pl: Fixes bug 13880
Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 811a5dca77ecaf9fcd73ecb4460f2ac9b668d266
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:39 2025 +0200
ovpnclients.dat: Fixes bug 13879
Fixes: bug 13879 - CONNECTION_NAME SQL Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f0015fefe6d2523c5bb9818fa6aeeb064f6e45db
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:38 2025 +0200
ids.cgi: Fixes bug 13878
Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 47e9f8470ad5f8c134ad36e125bd7d6d78b61b7f
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:37 2025 +0200
fwhosts.cgi Fix for bug 13876 & bug 13877
Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/general-functions.pl | 8 +++++++
config/cfgroot/header.pl | 2 +-
doc/language_issues.en | 1 +
doc/language_issues.es | 1 +
doc/language_issues.fr | 1 +
doc/language_issues.it | 1 +
doc/language_issues.nl | 1 +
doc/language_issues.pl | 1 +
doc/language_issues.ru | 1 +
doc/language_issues.tr | 1 +
doc/language_issues.tw | 1 +
doc/language_issues.zh | 1 +
doc/language_missings | 9 ++++++++
html/cgi-bin/ddns.cgi | 8 ++++---
html/cgi-bin/dns.cgi | 18 +++++++++-------
html/cgi-bin/fwhosts.cgi | 10 ++++++---
html/cgi-bin/ids.cgi | 5 +++--
html/cgi-bin/logs.cgi/calamaris.dat | 4 ++++
html/cgi-bin/logs.cgi/config.dat | 29 +++++++++++++++++--------
html/cgi-bin/logs.cgi/firewalllogcountry.dat | 32 ++++++++++++++++++----------
html/cgi-bin/logs.cgi/firewalllogip.dat | 32 ++++++++++++++++++----------
html/cgi-bin/logs.cgi/ovpnclients.dat | 4 ++--
html/cgi-bin/mail.cgi | 8 ++++---
html/cgi-bin/proxy.cgi | 26 ++++++++++++++++------
html/cgi-bin/qos.cgi | 6 +++++-
html/cgi-bin/time.cgi | 3 ++-
html/cgi-bin/urlfilter.cgi | 13 +++++++++--
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
29 files changed, 166 insertions(+), 63 deletions(-)
Difference in files:
diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index 33b5605e2..94d0e7440 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -864,6 +864,14 @@ sub validportrange # used to check a port range
}
}
+# Checks for a valid country code
+sub validcc($) {
+ my $cc = shift;
+
+ # Must contain of exactly two uppercase characters, or must be A1, A2, or A3
+ return ($cc =~ m/^([A-Z]{2}|A[123])$/);
+}
+
sub IpInSubnet {
my $addr = shift;
my $network = shift;
diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index 9492b467d..6e65f4137 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -647,7 +647,7 @@ sub cleanhtml {
# decode the UTF-8 text so that characters with diacritical marks such as
# umlauts are treated correctly by the escape command
$outstring = &Encode::decode("UTF-8",$outstring);
- escape($outstring);
+ $outstring = escape($outstring);
# encode the text back to UTF-8 after running the escape command
$outstring = &Encode::encode("UTF-8",$outstring);
return $outstring;
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 808556beb..4376ec232 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -942,6 +942,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists
WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host
WARNING: untranslated string: fwhost hint = Note
WARNING: untranslated string: fwhost icmptype = ICMP type:
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost ip_mac = IP/MAC address
WARNING: untranslated string: fwhost ipsec net = IPsec networks:
WARNING: untranslated string: fwhost menu = Firewall Groups
diff --git a/doc/language_issues.es b/doc/language_issues.es
index 6f005949a..aa40df21f 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1028,6 +1028,7 @@ WARNING: untranslated string: error message = unknown string
WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian block httpd brute-force = unknown string
WARNING: untranslated string: guardian block ssh brute-force = unknown string
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index 4439b300a..f4591ca74 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -1014,6 +1014,7 @@ WARNING: untranslated string: extrahd because it is outside the allowed mount pa
WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost wg peers = WireGuard Peers
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian block httpd brute-force = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index d2e2439c0..f40373b1c 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1116,6 +1116,7 @@ WARNING: untranslated string: fwhost cust location = Location Groups
WARNING: untranslated string: fwhost cust locationgroup = Location Groups
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost newlocationgrp = Location Groups
WARNING: untranslated string: fwhost wg peers = WireGuard Peers
WARNING: untranslated string: generate ptr = Generate PTR
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 0224acb3a..733904195 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1123,6 +1123,7 @@ WARNING: untranslated string: fwhost cust location = Location Groups
WARNING: untranslated string: fwhost cust locationgroup = Location Groups
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost newlocationgrp = Location Groups
WARNING: untranslated string: fwhost wg peers = WireGuard Peers
WARNING: untranslated string: generate ptr = Generate PTR
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index e598262e2..ea17e70f0 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1223,6 +1223,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists
WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host
WARNING: untranslated string: fwhost hint = Note
WARNING: untranslated string: fwhost icmptype = ICMP type:
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost ip_mac = IP/MAC address
WARNING: untranslated string: fwhost ipsec net = IPsec networks:
WARNING: untranslated string: fwhost menu = Firewall Groups
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 9bd9f2a61..9fc1cb383 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1221,6 +1221,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists
WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host
WARNING: untranslated string: fwhost hint = Note
WARNING: untranslated string: fwhost icmptype = ICMP type:
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost ip_mac = IP/MAC address
WARNING: untranslated string: fwhost ipsec net = IPsec networks:
WARNING: untranslated string: fwhost menu = Firewall Groups
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 6517beaa9..c306058d5 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1063,6 +1063,7 @@ WARNING: untranslated string: fwdfw all subnets = All subnets
WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost wg peers = WireGuard Peers
WARNING: untranslated string: generate ptr = Generate PTR
WARNING: untranslated string: guardian block a host = unknown string
diff --git a/doc/language_issues.tw b/doc/language_issues.tw
index ac4544bca..384f8e376 100644
--- a/doc/language_issues.tw
+++ b/doc/language_issues.tw
@@ -1036,6 +1036,7 @@ WARNING: untranslated string: error message = unknown string
WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: guaranteed bandwidth = Guaranteed bandwidth
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian block httpd brute-force = unknown string
diff --git a/doc/language_issues.zh b/doc/language_issues.zh
index ac4544bca..384f8e376 100644
--- a/doc/language_issues.zh
+++ b/doc/language_issues.zh
@@ -1036,6 +1036,7 @@ WARNING: untranslated string: error message = unknown string
WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: guaranteed bandwidth = Guaranteed bandwidth
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian block httpd brute-force = unknown string
diff --git a/doc/language_missings b/doc/language_missings
index d0cf1318e..9838c5016 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -156,6 +156,7 @@
< AES-256-GCM
< CHACHA20-POLY1305
< dns servers
+< fwhost invalid country code
< ids all including informational
< ids email alerts
< ids email alert severity
@@ -243,6 +244,7 @@
< endpoint port
< extrahd because it it outside the allowed mount path
< fwdfw syn flood protection
+< fwhost invalid country code
< fwhost wg peers
< g.dtm
< g.lite
@@ -620,6 +622,7 @@
< fwhost cust location
< fwhost cust locationgroup
< fwhost cust locationlocation
+< fwhost invalid country code
< fwhost newlocationgrp
< fwhost wg peers
< fw red
@@ -1305,6 +1308,7 @@
< fwhost cust location
< fwhost cust locationgroup
< fwhost cust locationlocation
+< fwhost invalid country code
< fwhost newlocationgrp
< fwhost wg peers
< fw red
@@ -2254,6 +2258,7 @@
< fwhost hint
< fwhost hosts
< fwhost icmptype
+< fwhost invalid country code
< fwhost ipadr
< fwhost ip_mac
< fwhost ipsec host
@@ -3407,6 +3412,7 @@
< fwhost hint
< fwhost hosts
< fwhost icmptype
+< fwhost invalid country code
< fwhost ipadr
< fwhost ip_mac
< fwhost ipsec host
@@ -4195,6 +4201,7 @@
< foreshadow
< fwdfw all subnets
< fwdfw syn flood protection
+< fwhost invalid country code
< fwhost wg peers
< fw red
< generate ptr
@@ -4574,6 +4581,7 @@
< Captive wrong type
< CHACHA20-POLY1305
< dns servers
+< fwhost invalid country code
< guaranteed bandwidth
< ids all including informational
< ids email alerts
@@ -4662,6 +4670,7 @@
< Captive wrong type
< CHACHA20-POLY1305
< dns servers
+< fwhost invalid country code
< guaranteed bandwidth
< ids all including informational
< ids email alerts
diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi
index 34475b75c..8c2600500 100644
--- a/html/cgi-bin/ddns.cgi
+++ b/html/cgi-bin/ddns.cgi
@@ -524,17 +524,19 @@ print <<END
<td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
<td class='username'>$Lang::tr{'username'}</td>
- <td class='username'><input type='text' name='LOGIN' value='$settings{'LOGIN'}' /></td>
+ <td class='username'><input type='text' name='LOGIN'
+ value='@{[ &Header::escape($settings{'LOGIN'}) ]}' /></td>
<td class='token' style='display:none'>$Lang::tr{'token'}</td>
- <td class='token' style='display:none'><input type='text' name='TOKEN' value='$settings{'TOKEN'}' /></td>
+ <td class='token' style='display:none'><input type='text' name='TOKEN'
+ value='@{[ &Header::escape($settings{'TOKEN'}) ]}' /></td>
</tr>
<tr class='password'>
<td class='base'></td>
<td></td>
<td class='base'>$Lang::tr{'password'}</td>
- <td><input type='password' name='PASSWORD' value='$settings{'PASSWORD'}' /></td>
+ <td><input type='password' name='PASSWORD' value='@{[ &Header::escape($settings{'PASSWORD'}) ]}' /></td>
</tr>
</table>
<br>
diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
index 0d3b14797..883c7efb6 100644
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2005-2024 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2005-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -127,15 +127,17 @@ if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $L
$errormessage = "$Lang::tr{'invalid ip'}: $cgiparams{'NAMESERVER'}";
}
+ # Check if the provided hostname is valid
+ if ($cgiparams{'TLS_HOSTNAME'} ne "") {
+ unless (&General::validfqdn($cgiparams{"TLS_HOSTNAME"})) {
+ $errormessage = "$Lang::tr{'invalid ip or hostname'}: " . &Header::escape($cgiparams{'TLS_HOSTNAME'});
+ }
+ }
+
# Check if a TLS is enabled and no TLS_HOSTNAME has benn specified.
- elsif($settings{'PROTO'} eq "TLS") {
- unless($cgiparams{"TLS_HOSTNAME"}) {
+ if ($settings{'PROTO'} eq "TLS") {
+ unless ($cgiparams{"TLS_HOSTNAME"}) {
$errormessage = "$Lang::tr{'dns no tls hostname given'}";
- } else {
- # Check if the provided domain is valid.
- unless(&General::validfqdn($cgiparams{"TLS_HOSTNAME"})) {
- $errormessage = "$Lang::tr{'invalid ip or hostname'}: $cgiparams{'TLS_HOSTNAME'}";
- }
}
}
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 953f81e5f..dca425b69 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
+# Copyright (C) 2013-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -703,6 +703,10 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
# Check name
if (!&validhostname($grp)){$errormessage.=$Lang::tr{'fwhost err name'};}
+ unless (&General::validcc($fwhostsettings{'COUNTRY_CODE'})) {
+ $errormessage = $Lang::tr{'fwhost invalid country code'};
+ }
+
# Check for existing group name.
if (!&checkgroup($grp) && $fwhostsettings{'update'} ne 'on'){
$errormessage = $Lang::tr{'fwhost err grpexist'};
@@ -714,7 +718,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
}
if ($fwhostsettings{'update'} eq 'on'){
- @target=$fwhostsettings{'COUNTRY_CODE'};
+ @target = $fwhostsettings{'COUNTRY_CODE'};
$type='Location Group';
#check if host/net exists in grp
@@ -1779,7 +1783,7 @@ sub addservice
{
$fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'};
$fwhostsettings{'oldsrvport'} = $fwhostsettings{'SRV_PORT'};
- $fwhostsettings{'oldsrvprot'} = $fwhostsettings{'PROT'};
+ $fwhostsettings{'oldsrvprot'} = &Header::escape($fwhostsettings{'PROT'});
$fwhostsettings{'oldsrvicmp'} = $fwhostsettings{'ICMP'};
}
print<<END;
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 994872564..9685b37d0 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -1525,7 +1525,8 @@ print <<END;
<tr>
<td>$Lang::tr{'remark'}</td>
<td>
- <input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' />
+ <input type='text' name=IGNORE_ENTRY_REMARK
+ value='@{[ &Header::escape($entry_remark) ]}' size='24' />
</td>
</tr>
diff --git a/html/cgi-bin/logs.cgi/calamaris.dat b/html/cgi-bin/logs.cgi/calamaris.dat
index dcc812e47..1c8e4b68e 100644
--- a/html/cgi-bin/logs.cgi/calamaris.dat
+++ b/html/cgi-bin/logs.cgi/calamaris.dat
@@ -170,6 +170,10 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris create report'})
if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
+ if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/))
+ {
+ die "Invalid input in\"$commandline\"";
+ }
system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline")
}
diff --git a/html/cgi-bin/logs.cgi/config.dat b/html/cgi-bin/logs.cgi/config.dat
index aed0db9cf..e4b173ffb 100644
--- a/html/cgi-bin/logs.cgi/config.dat
+++ b/html/cgi-bin/logs.cgi/config.dat
@@ -1,13 +1,23 @@
#!/usr/bin/perl
-#
-# IPFire CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# (c) The IPFire Team
-#
-# $Id: config.dat,v 1.2.2.10 2005/06/14 12:32:07 eoberlander Exp $
-#
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
use strict;
@@ -143,6 +153,7 @@ END
&Header::closebox();
&Header::openbox('100%', 'left', $Lang::tr{'remote logging'});
+$logsettings{'REMOTELOG_ADDR'} = &Header::escape($logsettings{'REMOTELOG_ADDR'});
print <<END
<table width='100%'>
<tr>
diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
index 4e998a567..7b574092c 100644
--- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat
+++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
@@ -1,14 +1,23 @@
#!/usr/bin/perl
-#
-# SmoothWall CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# JC HERITIER
-# page inspired from the initial firewalllog.dat
-#
-# Modified for IPFire by Christian Schmidt
-# and Michael Tremer (www.ipfire.org)
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
use strict;
use Getopt::Std;
@@ -270,7 +279,8 @@ print <<END
</tr>
<tr>
<td colspan='3' align='left' valign="left">$Lang::tr{'Number of Countries for the pie chart'}:</td>
- <td colspan='3' align='left' valign="center"><input type='text' name='pienumber' value='$pienumber' size='4'></td>
+ <td colspan='3' align='left' valign="center"><input type='text' name='pienumber'
+ value='@{[ &Header::escape($pienumber) ]}' size='4'></td>
<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
</tr>
</table>
diff --git a/html/cgi-bin/logs.cgi/firewalllogip.dat b/html/cgi-bin/logs.cgi/firewalllogip.dat
index a7c6e5f80..03584a9f2 100644
--- a/html/cgi-bin/logs.cgi/firewalllogip.dat
+++ b/html/cgi-bin/logs.cgi/firewalllogip.dat
@@ -1,14 +1,23 @@
#!/usr/bin/perl
-#
-# SmoothWall CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# JC HERITIER
-# page inspired from the initial firewalllog.dat
-#
-# Modified for IPFire by Christian Schmidt
-# and Michael Tremer (www.ipfire.org)
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
use strict;
use Getopt::Std;
@@ -272,7 +281,8 @@ print <<END
</tr>
<tr>
<td colspan='3' align='left' valign="left">$Lang::tr{'Number of IPs for the pie chart'}:</td>
- <td colspan='3' align='left' valign="center"><input type='text' name='pienumber' value='$pienumber' size='4'></td>
+ <td colspan='3' align='left' valign="center"><input type='text' name='pienumber'
+ value='@{[ &Header::escape($pienumber) ]}' size='4'></td>
<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
</tr>
</table>
diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
index 8fbf4f8fa..5e6baef3c 100644
--- a/html/cgi-bin/logs.cgi/ovpnclients.dat
+++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2020 - 2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -141,7 +141,7 @@ my $database_query = qq(
ORDER BY common_name, duration DESC;
);
-if ($cgiparams{'CONNECTION_NAME'}) {
+if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) {
$database_query = qq(
SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent,
STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions
diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi
index 0ed3dfeca..6c024974d 100644
--- a/html/cgi-bin/mail.cgi
+++ b/html/cgi-bin/mail.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -218,11 +218,13 @@ END
</tr>
<tr>
<td>$Lang::tr{'email mailuser'}</td>
- <td><input type='text' name='txt_mailuser' value='$auth{'AUTHNAME'}' style='width:22em;'></td>
+ <td><input type='text' name='txt_mailuser'
+ value='@{[ &Header::escape($auth{'AUTHNAME'}) ]}' style='width:22em;'></td>
</tr>
<tr>
<td>$Lang::tr{'email mailpass'}</td>
- <td><input type='password' name='txt_mailpass' value='$auth{'AUTHPASS'}' style='width:22em;' ></td>
+ <td><input type='password' name='txt_mailpass'
+ value='@{[ &Header::escape($auth{'AUTHPASS'}) ]}' style='width:22em;' ></td>
</tr>
<tr>
<td>$Lang::tr{'email tls'}</td>
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index bdce2fa66..fdb7c6a77 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -955,7 +955,8 @@ if ($netsettings{'BLUE_DEV'}) {
}
print <<END
<td class='base'>$Lang::tr{'advproxy visible hostname'}:</td>
- <td><input type='text' name='VISIBLE_HOSTNAME' value='$proxysettings{'VISIBLE_HOSTNAME'}' /></td>
+ <td><input type='text' name='VISIBLE_HOSTNAME'
+ value='@{[ &Header::escape($proxysettings{'VISIBLE_HOSTNAME'}) ]}' /></td>
</tr>
<tr>
END
@@ -1074,13 +1075,15 @@ print <<END
<td class='base'><a href='/cgi-bin/cachemgr.cgi' target='_blank'>$Lang::tr{'proxy cachemgr'}:</td>
<td><input type='checkbox' name='CACHEMGR' $checked{'CACHEMGR'}{'on'} /></td>
<td class='base'>$Lang::tr{'advproxy admin mail'}:</td>
- <td><input type='text' name='ADMIN_MAIL_ADDRESS' value='$proxysettings{'ADMIN_MAIL_ADDRESS'}' /></td>
+ <td><input type='text' name='ADMIN_MAIL_ADDRESS'
+ value='@{[ &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'}) ]}' /></td>
</tr>
<tr>
<td class='base'>$Lang::tr{'proxy filedescriptors'}: <img src='/blob.gif' alt='*' /></td>
<td><input type='text' name='FILEDESCRIPTORS' value='$proxysettings{'FILEDESCRIPTORS'}' size='5' /></td>
<td class='base'>$Lang::tr{'proxy admin password'}:</td>
- <td><input type='text' name='ADMIN_PASSWORD' value='$proxysettings{'ADMIN_PASSWORD'}' /></td>
+ <td><input type='text' name='ADMIN_PASSWORD'
+ value='@{[ &Header::escape($proxysettings{'ADMIN_PASSWORD'}) ]}' /></td>
</tr>
<tr>
<td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
@@ -3976,8 +3979,14 @@ END
print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
}
- if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; }
- if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; }
+ if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq ''))
+ {
+ print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n";
+ }
+ if (!($proxysettings{'ADMIN_PASSWORD'} eq ''))
+ {
+ print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n";
+ }
print FILE "\n";
print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n";
@@ -3993,8 +4002,13 @@ END
# login=*:password ($proxysettings{'FORWARD_USERNAME'} eq 'on')
if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS'))
{
+ $proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'});
print FILE " login=$proxysettings{'UPSTREAM_USER'}";
- if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; }
+ if ($proxy1 eq 'YES')
+ {
+ $proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'});
+ print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}";
+ }
}
elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; }
diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi
index 52392be08..8400bafdf 100644
--- a/html/cgi-bin/qos.cgi
+++ b/html/cgi-bin/qos.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -671,6 +671,8 @@ END
END
;
if (($qossettings{'OUT_SPD'} ne '') && ($qossettings{'INC_SPD'} ne '')) {
+ $qossettings{'OUT_SPD'} = &Header::escape($qossettings{'OUT_SPD'});
+ $qossettings{'INC_SPD'} = &Header::escape($qossettings{'INC_SPD'});
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
@@ -683,6 +685,8 @@ END
;
}
if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')) {
+ $qossettings{'DEFCLASS_OUT'} = &Header::escape($qossettings{'DEFCLASS_OUT'});
+ $qossettings{'DEFCLASS_INC'} = &Header::escape($qossettings{'DEFCLASS_INC'});
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
diff --git a/html/cgi-bin/time.cgi b/html/cgi-bin/time.cgi
index 04c1e771f..d465354bb 100644
--- a/html/cgi-bin/time.cgi
+++ b/html/cgi-bin/time.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2010 IPFire Team #
+# Copyright (C) 2010-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -78,6 +78,7 @@ if ($timesettings{'ACTION'} eq $Lang::tr{'save'})
if (!($timesettings{'UPDATE_VALUE'} =~ /^\d+$/) || $timesettings{'UPDATE_VALUE'} <= 0)
{
$errormessage = $Lang::tr{'invalid time period'};
+ $timesettings{'UPDATE_VALUE'} = 0;
goto ERROR;
}
diff --git a/html/cgi-bin/urlfilter.cgi b/html/cgi-bin/urlfilter.cgi
index 1ced06e26..2467f297c 100644
--- a/html/cgi-bin/urlfilter.cgi
+++ b/html/cgi-bin/urlfilter.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2005-2010 IPFire Team #
+# Copyright (C) 2005-2025 IPFire Team #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -576,7 +576,7 @@ if (($uqsettings{'MODE'} eq 'USERQUOTA') && ($uqsettings{'ACTION'} eq $Lang::tr{
$_ = $uqsettings{'QUOTA_USERS'};
chomp; s/\n/|/g;
- my $quota_users = $_;
+ my $quota_users = &Header::escape($_);
if ($uqsettings{'QUOTA_USERS'} =~ /\\/)
{
@@ -936,6 +936,11 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter install blacklist'}) && ($bes
close FILE;
# XXX uses globbing
+ if(!($besettings{'BE_NAME'} =~ /^[a-zA-Z0-9-_]+$/))
+ {
+ $errormessage = 'Invalid blacklist name (use only alphanumeric characters plus hyphens or underscores)';
+ goto ERROR;
+ }
system("rm -f $dbdir/$besettings{'BE_NAME'}/*.db");
&General::system("/usr/bin/squidGuard", "-c", "$editdir/install.conf", "-C", "all");
# XXX uses globbing
@@ -2047,6 +2052,10 @@ foreach $line (@tclist)
if ($temp[7] eq 'on') { $time.=$Lang::tr{'urlfilter sun'}; } else { $time.='='; }
$time=$time.' '.$temp[8].':'.$temp[9].' to '.$temp[10].':'.$temp[11];
+ $temp[12] = &Header::escape($temp[12]);
+ $temp[13] = &Header::escape($temp[13]);
+ $temp[16] = &Header::escape($temp[16]);
+
print <<END
<td align='center'>$temp[0]</td>
<td align='center' nowrap>$time</td>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index 8ef466cbc..efa0eaf69 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1289,6 +1289,7 @@
'fwhost hint' => 'Hinweis',
'fwhost hosts' => 'Firewall-Hosts',
'fwhost icmptype' => 'ICMP-Typ:',
+'fwhost invalid country code' => 'Ungültiger Ländercode',
'fwhost ip_mac' => 'IP/MAC-Adresse',
'fwhost ipadr' => 'IP-Adresse:',
'fwhost ipsec host' => 'IPsec-Clients:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 7c8b24f6a..3aab75efd 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1341,6 +1341,7 @@
'fwhost hint' => 'Note',
'fwhost hosts' => 'Firewall Hosts',
'fwhost icmptype' => 'ICMP type:',
+'fwhost invalid country code' => 'Invalid Country Code',
'fwhost ip_mac' => 'IP/MAC address',
'fwhost ipadr' => 'IP address:',
'fwhost ipsec host' => 'IPsec clients:',
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2025-09-25 15:37 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4cXdBm1pPZz2xqQ@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox