This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree". The branch, master has been updated via 54e9e66841b8fc97dd46ba419228c3fb6d488b69 (commit) via 6d107e8683fb816f0f63fd6022b30a277ea9d191 (commit) via 8726b465430f59a18e3704c47d886662ca59ad22 (commit) via b46ccb021ed46cac8690c6f16f08f813beb12f5c (commit) via 9a4fbd0bac49ee76006f732701c6fea8d2338f8a (commit) via 841d9dab524bfe6572471f4e14b97534e840bed1 (commit) via 0560cc7c4d06ce05e37c397f38be05907e098601 (commit) via 3aad228b56bd2a87d3eeca1d027197734e0fac8c (commit) via 43ce8d752e79453e99fccb33bd8a4176bba4c670 (commit) via 2398cc431a3fb2cd4141b6a846f0cd0742f6a97c (commit) via ad995081302f6b28ea11c74e56306d94a7bee076 (commit) via 0b946b848c72511922fa211b6a4db0da092d204c (commit) via 9ceb7c7e8b3191109e7dd7c84444dce126996ee2 (commit) via e6a0ecf248d26c72f015d082e84ecd2772823c08 (commit) via df17d1adafb5629ecd4d80634002028d7ab4cf58 (commit) via a31550706f590193f63f2a9c57c943a9ab572642 (commit) via c431d86ab882f1305f831a37c04491a7ae771e28 (commit) via fc3f7f4a179b26b6ef255a3ab46b6fe6faf208c9 (commit) via 7dca07fdcf018320bc10eb4d5fcd019dd1a7029a (commit) via 32f22c92e19c2d94c5f0b667f27e7a5ccd65ac61 (commit) via 67db35c8a536b54d169336269853aaa6eae85ab5 (commit) via 8025aa78fb52933666e13a7e9e782edf4ddf8b42 (commit) via 8d78fb4b816e032738b08e724d51c200364e5037 (commit) via dd6d272b6828e443478d2e6e40c1ce19d54f3c2a (commit) via f04e5fb1c91582d2bfbcdcebfe2aa9a47a5edb43 (commit) via 0400a1009439d0ffeddb1e449c8bd656341f5f44 (commit) via eb257423df48f233312d06b2a7cd48cf5dfd21fd (commit) via a2c624b99dbcecb469e6001505731049ef5cbbd3 (commit) from 9150cbddeb913ce093f2f7e0669e4a8ab3265bb0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 54e9e66841b8fc97dd46ba419228c3fb6d488b69 Author: Michael Tremer Date: Thu Oct 2 16:57:10 2025 +0000 core198: Ship header.pl Signed-off-by: Michael Tremer commit 6d107e8683fb816f0f63fd6022b30a277ea9d191 Author: Adolf Belka Date: Thu Oct 2 13:10:15 2025 +0200 firewall.cgi: Fixes XSS potential - Related to CVE-2025-50975 - Fixes PROT - ruleremark was already escaped when firewall.cgi was initially merged back in Core Update 77. - SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as ports or port ranges. - std_net_tgt is a string defined in the code and not a variable - The variable key ignores any input that is not a digit and subsequently uses the next free rulenumber digit Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 8726b465430f59a18e3704c47d886662ca59ad22 Author: Adolf Belka Date: Thu Oct 2 13:10:14 2025 +0200 dns.cgi: Fix for XSS potential - Related to CVE-2025-50976 - Fixes NAMESERVER & REMARK - TLS_HOSTNAME was already fixed in a previous patch Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b46ccb021ed46cac8690c6f16f08f813beb12f5c Author: Michael Tremer Date: Thu Sep 25 17:32:51 2025 +0200 proxy.cgi: Escape parameters in the right place Signed-off-by: Michael Tremer commit 9a4fbd0bac49ee76006f732701c6fea8d2338f8a Author: Michael Tremer Date: Thu Sep 25 17:29:35 2025 +0200 dns.cgi: Validate the TLS hostname irregardless of TLS being used That way, we won't have to perform escaping later on and can rely on having a valid value. Signed-off-by: Michael Tremer commit 841d9dab524bfe6572471f4e14b97534e840bed1 Author: Michael Tremer Date: Thu Sep 25 17:19:59 2025 +0200 mail.cgi: Escape username/password in the right place Signed-off-by: Michael Tremer commit 0560cc7c4d06ce05e37c397f38be05907e098601 Author: Michael Tremer Date: Thu Sep 25 17:12:20 2025 +0200 firewalllogcountry.dat: Escape pienumber in the correct place Signed-off-by: Michael Tremer commit 3aad228b56bd2a87d3eeca1d027197734e0fac8c Author: Michael Tremer Date: Thu Sep 25 17:10:56 2025 +0200 firewalllogip.dat: Escape pienumber in the right place Signed-off-by: Michael Tremer commit 43ce8d752e79453e99fccb33bd8a4176bba4c670 Author: Michael Tremer Date: Thu Sep 25 17:07:36 2025 +0200 ids.cgi: Escape the remark before sending it back to the browser Signed-off-by: Michael Tremer commit 2398cc431a3fb2cd4141b6a846f0cd0742f6a97c Author: Michael Tremer Date: Thu Sep 25 17:05:32 2025 +0200 fwhosts.cgi: Escape PROT in the right place Signed-off-by: Michael Tremer commit ad995081302f6b28ea11c74e56306d94a7bee076 Author: Michael Tremer Date: Thu Sep 25 17:02:18 2025 +0200 fwhosts.cgi: Check country code before proceeding Signed-off-by: Michael Tremer commit 0b946b848c72511922fa211b6a4db0da092d204c Author: Michael Tremer Date: Thu Sep 25 16:37:27 2025 +0200 ddns.cgi: Escape the variables when they are being sent back to the browser Signed-off-by: Michael Tremer commit 9ceb7c7e8b3191109e7dd7c84444dce126996ee2 Author: Adolf Belka Date: Thu Sep 25 13:12:52 2025 +0200 proxy.cgi: Further fix for bug 13893 - Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the description for that bug. - bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi which is incorrect except for TLS_HOSTNAME. - The other parameters are from proxy.cgi but no mitigation was shown for those in the bug report. - This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e6a0ecf248d26c72f015d082e84ecd2772823c08 Author: Adolf Belka Date: Thu Sep 25 13:12:51 2025 +0200 proxy.cgi: Fixes bug 13893 Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit df17d1adafb5629ecd4d80634002028d7ab4cf58 Author: Adolf Belka Date: Thu Sep 25 13:12:50 2025 +0200 dns.cgi: Fixes bug 13892 Fixes: bug 13892 - dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a31550706f590193f63f2a9c57c943a9ab572642 Author: Adolf Belka Date: Thu Sep 25 13:12:49 2025 +0200 mail.cgi: Fixes bug 13891 Fixes: bug 13891 - mail.cgi txt_mailuser txt_mailpass Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c431d86ab882f1305f831a37c04491a7ae771e28 Author: Adolf Belka Date: Thu Sep 25 13:12:48 2025 +0200 config.dat: Fixes bug 13890 Fixes: bug 13890 - config.dat REMOTELOG_ADDR Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit fc3f7f4a179b26b6ef255a3ab46b6fe6faf208c9 Author: Adolf Belka Date: Thu Sep 25 13:12:47 2025 +0200 urlfilter.cgi: Fixes bugs 13887, 13888 & 13889 Fixes: bug 13887 - urlfilter.cgi BE_NAME Command Injection Fixes: bug 13888 - urlfilter.cgi USERQUOTA QUOTA_USERS Stored Cross-Site Scripting Fixes: bug 13889 - urlfilter.cgi TIMECONSTRAINT SRC DST COMMENT Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7dca07fdcf018320bc10eb4d5fcd019dd1a7029a Author: Adolf Belka Date: Thu Sep 25 13:12:46 2025 +0200 calamaris.dat: Fixes bug 13886 Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 32f22c92e19c2d94c5f0b667f27e7a5ccd65ac61 Author: Adolf Belka Date: Thu Sep 25 13:12:45 2025 +0200 qos.cgi: Fixes bug 13885 Fixes: bug 13885 - qos.cgi INC_SPD OUT_SPD DEFCLASS_INC DEFCLASS_OUT Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 67db35c8a536b54d169336269853aaa6eae85ab5 Author: Adolf Belka Date: Thu Sep 25 13:12:44 2025 +0200 ddns.cgi: Fixes bug 13884 Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 8025aa78fb52933666e13a7e9e782edf4ddf8b42 Author: Adolf Belka Date: Thu Sep 25 13:12:43 2025 +0200 time.cgi: Fixes bug 13883 Fixes: bug 13883 - time.cgi UPDATE_VALUE Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 8d78fb4b816e032738b08e724d51c200364e5037 Author: Adolf Belka Date: Thu Sep 25 13:12:42 2025 +0200 firewalllogcountry.dat: Fixes bug 13882 Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit dd6d272b6828e443478d2e6e40c1ce19d54f3c2a Author: Adolf Belka Date: Thu Sep 25 13:12:41 2025 +0200 firewalllogip.dat: Fixes bug 13881 Fixes: bug 13881 - firewalllogip.dat pienumber Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit f04e5fb1c91582d2bfbcdcebfe2aa9a47a5edb43 Author: Adolf Belka Date: Thu Sep 25 13:12:40 2025 +0200 header.pl: Fixes bug 13880 Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 0400a1009439d0ffeddb1e449c8bd656341f5f44 Author: Adolf Belka Date: Thu Sep 25 13:12:39 2025 +0200 ovpnclients.dat: Fixes bug 13879 Fixes: bug 13879 - CONNECTION_NAME SQL Injection Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit eb257423df48f233312d06b2a7cd48cf5dfd21fd Author: Adolf Belka Date: Thu Sep 25 13:12:38 2025 +0200 ids.cgi: Fixes bug 13878 Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit a2c624b99dbcecb469e6001505731049ef5cbbd3 Author: Adolf Belka Date: Thu Sep 25 13:12:37 2025 +0200 fwhosts.cgi Fix for bug 13876 & bug 13877 Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer ----------------------------------------------------------------------- Summary of changes: config/cfgroot/general-functions.pl | 8 +++++++ config/cfgroot/header.pl | 2 +- config/rootfiles/core/198/filelists/files | 1 + doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_issues.tw | 1 + doc/language_issues.zh | 1 + doc/language_missings | 9 ++++++++ html/cgi-bin/ddns.cgi | 8 ++++--- html/cgi-bin/dns.cgi | 22 ++++++++++--------- html/cgi-bin/firewall.cgi | 3 ++- html/cgi-bin/fwhosts.cgi | 10 ++++++--- html/cgi-bin/ids.cgi | 5 +++-- html/cgi-bin/logs.cgi/calamaris.dat | 4 ++++ html/cgi-bin/logs.cgi/config.dat | 29 +++++++++++++++++-------- html/cgi-bin/logs.cgi/firewalllogcountry.dat | 32 ++++++++++++++++++---------- html/cgi-bin/logs.cgi/firewalllogip.dat | 32 ++++++++++++++++++---------- html/cgi-bin/logs.cgi/ovpnclients.dat | 4 ++-- html/cgi-bin/mail.cgi | 8 ++++--- html/cgi-bin/proxy.cgi | 26 ++++++++++++++++------ html/cgi-bin/qos.cgi | 6 +++++- html/cgi-bin/time.cgi | 3 ++- html/cgi-bin/urlfilter.cgi | 13 +++++++++-- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 31 files changed, 171 insertions(+), 66 deletions(-) Difference in files: diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 33b5605e2..94d0e7440 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -864,6 +864,14 @@ sub validportrange # used to check a port range } } +# Checks for a valid country code +sub validcc($) { + my $cc = shift; + + # Must contain of exactly two uppercase characters, or must be A1, A2, or A3 + return ($cc =~ m/^([A-Z]{2}|A[123])$/); +} + sub IpInSubnet { my $addr = shift; my $network = shift; diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl index 9492b467d..6e65f4137 100644 --- a/config/cfgroot/header.pl +++ b/config/cfgroot/header.pl @@ -647,7 +647,7 @@ sub cleanhtml { # decode the UTF-8 text so that characters with diacritical marks such as # umlauts are treated correctly by the escape command $outstring = &Encode::decode("UTF-8",$outstring); - escape($outstring); + $outstring = escape($outstring); # encode the text back to UTF-8 after running the escape command $outstring = &Encode::encode("UTF-8",$outstring); return $outstring; diff --git a/config/rootfiles/core/198/filelists/files b/config/rootfiles/core/198/filelists/files index 44d8182e9..adf18e482 100644 --- a/config/rootfiles/core/198/filelists/files +++ b/config/rootfiles/core/198/filelists/files @@ -1,4 +1,5 @@ etc/rc.d/init.d/cleanfs etc/rc.d/init.d/suricata var/ipfire/graphs.pl +var/ipfire/header.pl var/ipfire/ids-functions.pl diff --git a/doc/language_issues.en b/doc/language_issues.en index 6dfada328..fe7a17f1f 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -942,6 +942,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host WARNING: untranslated string: fwhost hint = Note WARNING: untranslated string: fwhost icmptype = ICMP type: +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost ip_mac = IP/MAC address WARNING: untranslated string: fwhost ipsec net = IPsec networks: WARNING: untranslated string: fwhost menu = Firewall Groups diff --git a/doc/language_issues.es b/doc/language_issues.es index cadfaf5d6..f0a6e31ba 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1028,6 +1028,7 @@ WARNING: untranslated string: error message = unknown string WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string WARNING: untranslated string: guardian block ssh brute-force = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index a03241bce..ce55b88ba 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -1014,6 +1014,7 @@ WARNING: untranslated string: extrahd because it is outside the allowed mount pa WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost wg peers = WireGuard Peers WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index d5fdcd55e..ee5135003 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1116,6 +1116,7 @@ WARNING: untranslated string: fwhost cust location = Location Groups WARNING: untranslated string: fwhost cust locationgroup = Location Groups WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost newlocationgrp = Location Groups WARNING: untranslated string: fwhost wg peers = WireGuard Peers WARNING: untranslated string: generate ptr = Generate PTR diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 72af4fba5..415041191 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1123,6 +1123,7 @@ WARNING: untranslated string: fwhost cust location = Location Groups WARNING: untranslated string: fwhost cust locationgroup = Location Groups WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost newlocationgrp = Location Groups WARNING: untranslated string: fwhost wg peers = WireGuard Peers WARNING: untranslated string: generate ptr = Generate PTR diff --git a/doc/language_issues.pl b/doc/language_issues.pl index c89dd9966..c951b39ce 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1223,6 +1223,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host WARNING: untranslated string: fwhost hint = Note WARNING: untranslated string: fwhost icmptype = ICMP type: +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost ip_mac = IP/MAC address WARNING: untranslated string: fwhost ipsec net = IPsec networks: WARNING: untranslated string: fwhost menu = Firewall Groups diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 2377115ab..738de8fee 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1221,6 +1221,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host WARNING: untranslated string: fwhost hint = Note WARNING: untranslated string: fwhost icmptype = ICMP type: +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost ip_mac = IP/MAC address WARNING: untranslated string: fwhost ipsec net = IPsec networks: WARNING: untranslated string: fwhost menu = Firewall Groups diff --git a/doc/language_issues.tr b/doc/language_issues.tr index dfabd029e..cb13bc21f 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1063,6 +1063,7 @@ WARNING: untranslated string: fwdfw all subnets = All subnets WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost wg peers = WireGuard Peers WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.tw b/doc/language_issues.tw index 2745a25ba..5a9f61b2c 100644 --- a/doc/language_issues.tw +++ b/doc/language_issues.tw @@ -1036,6 +1036,7 @@ WARNING: untranslated string: error message = unknown string WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: guaranteed bandwidth = Guaranteed bandwidth WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string diff --git a/doc/language_issues.zh b/doc/language_issues.zh index 2745a25ba..5a9f61b2c 100644 --- a/doc/language_issues.zh +++ b/doc/language_issues.zh @@ -1036,6 +1036,7 @@ WARNING: untranslated string: error message = unknown string WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: guaranteed bandwidth = Guaranteed bandwidth WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string diff --git a/doc/language_missings b/doc/language_missings index 03c286f5a..b042081eb 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -156,6 +156,7 @@ < AES-256-GCM < CHACHA20-POLY1305 < dns servers +< fwhost invalid country code < ids all including informational < ids email alerts < ids email alert severity @@ -218,6 +219,7 @@ < endpoint port < extrahd because it it outside the allowed mount path < fwdfw syn flood protection +< fwhost invalid country code < fwhost wg peers < g.dtm < g.lite @@ -570,6 +572,7 @@ < fwhost cust location < fwhost cust locationgroup < fwhost cust locationlocation +< fwhost invalid country code < fwhost newlocationgrp < fwhost wg peers < fw red @@ -1230,6 +1233,7 @@ < fwhost cust location < fwhost cust locationgroup < fwhost cust locationlocation +< fwhost invalid country code < fwhost newlocationgrp < fwhost wg peers < fw red @@ -2154,6 +2158,7 @@ < fwhost hint < fwhost hosts < fwhost icmptype +< fwhost invalid country code < fwhost ipadr < fwhost ip_mac < fwhost ipsec host @@ -3282,6 +3287,7 @@ < fwhost hint < fwhost hosts < fwhost icmptype +< fwhost invalid country code < fwhost ipadr < fwhost ip_mac < fwhost ipsec host @@ -4045,6 +4051,7 @@ < foreshadow < fwdfw all subnets < fwdfw syn flood protection +< fwhost invalid country code < fwhost wg peers < fw red < generate ptr @@ -4399,6 +4406,7 @@ < Captive wrong type < CHACHA20-POLY1305 < dns servers +< fwhost invalid country code < guaranteed bandwidth < ids all including informational < ids email alerts @@ -4462,6 +4470,7 @@ < Captive wrong type < CHACHA20-POLY1305 < dns servers +< fwhost invalid country code < guaranteed bandwidth < ids all including informational < ids email alerts diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index 34475b75c..8c2600500 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -524,17 +524,19 @@ print < $Lang::tr{'username'} - + $Lang::tr{'token'} - + $Lang::tr{'password'} - +
diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi index 0d3b14797..29a46d4b6 100644 --- a/html/cgi-bin/dns.cgi +++ b/html/cgi-bin/dns.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2005-2024 IPFire Team # +# Copyright (C) 2005-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -127,15 +127,17 @@ if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $L $errormessage = "$Lang::tr{'invalid ip'}: $cgiparams{'NAMESERVER'}"; } + # Check if the provided hostname is valid + if ($cgiparams{'TLS_HOSTNAME'} ne "") { + unless (&General::validfqdn($cgiparams{"TLS_HOSTNAME"})) { + $errormessage = "$Lang::tr{'invalid ip or hostname'}: " . &Header::escape($cgiparams{'TLS_HOSTNAME'}); + } + } + # Check if a TLS is enabled and no TLS_HOSTNAME has benn specified. - elsif($settings{'PROTO'} eq "TLS") { - unless($cgiparams{"TLS_HOSTNAME"}) { + if ($settings{'PROTO'} eq "TLS") { + unless ($cgiparams{"TLS_HOSTNAME"}) { $errormessage = "$Lang::tr{'dns no tls hostname given'}"; - } else { - # Check if the provided domain is valid. - unless(&General::validfqdn($cgiparams{"TLS_HOSTNAME"})) { - $errormessage = "$Lang::tr{'invalid ip or hostname'}: $cgiparams{'TLS_HOSTNAME'}"; - } } } @@ -773,9 +775,9 @@ sub show_add_edit_nameserver() { # Check if an ID has been given. if ($cgiparams{'ID'}) { # Assign cgiparams values. - $cgiparams{'NAMESERVER'} = $dns_servers{$cgiparams{'ID'}}[0]; + $cgiparams{'NAMESERVER'} = &Header::escape($dns_servers{$cgiparams{'ID'}}[0]); $cgiparams{'TLS_HOSTNAME'} = $dns_servers{$cgiparams{'ID'}}[1]; - $cgiparams{'REMARK'} = $dns_servers{$cgiparams{'ID'}}[3]; + $cgiparams{'REMARK'} = $Header::escape($dns_servers{$cgiparams{'ID'}}[3]); } } else { &Header::openbox('100%', 'left', $Lang::tr{'dnsforward add a new entry'}); diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 5f1eac09e..20e6a95e4 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2013-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -2351,6 +2351,7 @@ sub saverule $fwdfwsettings{'ruleremark'}=~ s/,/;/g; utf8::decode($fwdfwsettings{'ruleremark'}); $fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'}); + $fwdfwsettings{'PROT'}=&Header::escape($fwdfwsettings{'PROT'}); if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'}; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 953f81e5f..dca425b69 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2013-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -703,6 +703,10 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp') # Check name if (!&validhostname($grp)){$errormessage.=$Lang::tr{'fwhost err name'};} + unless (&General::validcc($fwhostsettings{'COUNTRY_CODE'})) { + $errormessage = $Lang::tr{'fwhost invalid country code'}; + } + # Check for existing group name. if (!&checkgroup($grp) && $fwhostsettings{'update'} ne 'on'){ $errormessage = $Lang::tr{'fwhost err grpexist'}; @@ -714,7 +718,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp') } if ($fwhostsettings{'update'} eq 'on'){ - @target=$fwhostsettings{'COUNTRY_CODE'}; + @target = $fwhostsettings{'COUNTRY_CODE'}; $type='Location Group'; #check if host/net exists in grp @@ -1779,7 +1783,7 @@ sub addservice { $fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'}; $fwhostsettings{'oldsrvport'} = $fwhostsettings{'SRV_PORT'}; - $fwhostsettings{'oldsrvprot'} = $fwhostsettings{'PROT'}; + $fwhostsettings{'oldsrvprot'} = &Header::escape($fwhostsettings{'PROT'}); $fwhostsettings{'oldsrvicmp'} = $fwhostsettings{'ICMP'}; } print< # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -1525,7 +1525,8 @@ print < $Lang::tr{'remark'} - + diff --git a/html/cgi-bin/logs.cgi/calamaris.dat b/html/cgi-bin/logs.cgi/calamaris.dat index dcc812e47..1c8e4b68e 100644 --- a/html/cgi-bin/logs.cgi/calamaris.dat +++ b/html/cgi-bin/logs.cgi/calamaris.dat @@ -170,6 +170,10 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris create report'}) if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; } + if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/)) + { + die "Invalid input in\"$commandline\""; + } system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline") } diff --git a/html/cgi-bin/logs.cgi/config.dat b/html/cgi-bin/logs.cgi/config.dat index aed0db9cf..e4b173ffb 100644 --- a/html/cgi-bin/logs.cgi/config.dat +++ b/html/cgi-bin/logs.cgi/config.dat @@ -1,13 +1,23 @@ #!/usr/bin/perl -# -# IPFire CGIs -# -# This code is distributed under the terms of the GPL -# -# (c) The IPFire Team -# -# $Id: config.dat,v 1.2.2.10 2005/06/14 12:32:07 eoberlander Exp $ -# +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2025 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### use strict; @@ -143,6 +153,7 @@ END &Header::closebox(); &Header::openbox('100%', 'left', $Lang::tr{'remote logging'}); +$logsettings{'REMOTELOG_ADDR'} = &Header::escape($logsettings{'REMOTELOG_ADDR'}); print < diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat index 4e998a567..7b574092c 100644 --- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat +++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat @@ -1,14 +1,23 @@ #!/usr/bin/perl -# -# SmoothWall CGIs -# -# This code is distributed under the terms of the GPL -# -# JC HERITIER -# page inspired from the initial firewalllog.dat -# -# Modified for IPFire by Christian Schmidt -# and Michael Tremer (www.ipfire.org) +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2025 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### use strict; use Getopt::Std; @@ -270,7 +279,8 @@ print < $Lang::tr{'Number of Countries for the pie chart'}: - + diff --git a/html/cgi-bin/logs.cgi/firewalllogip.dat b/html/cgi-bin/logs.cgi/firewalllogip.dat index a7c6e5f80..03584a9f2 100644 --- a/html/cgi-bin/logs.cgi/firewalllogip.dat +++ b/html/cgi-bin/logs.cgi/firewalllogip.dat @@ -1,14 +1,23 @@ #!/usr/bin/perl -# -# SmoothWall CGIs -# -# This code is distributed under the terms of the GPL -# -# JC HERITIER -# page inspired from the initial firewalllog.dat -# -# Modified for IPFire by Christian Schmidt -# and Michael Tremer (www.ipfire.org) +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2007-2025 IPFire Team # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### use strict; use Getopt::Std; @@ -272,7 +281,8 @@ print < $Lang::tr{'Number of IPs for the pie chart'}: - + diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat index 8fbf4f8fa..5e6baef3c 100644 --- a/html/cgi-bin/logs.cgi/ovpnclients.dat +++ b/html/cgi-bin/logs.cgi/ovpnclients.dat @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2020 IPFire Team # +# Copyright (C) 2020 - 2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -141,7 +141,7 @@ my $database_query = qq( ORDER BY common_name, duration DESC; ); -if ($cgiparams{'CONNECTION_NAME'}) { +if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) { $database_query = qq( SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent, STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi index 0ed3dfeca..6c024974d 100644 --- a/html/cgi-bin/mail.cgi +++ b/html/cgi-bin/mail.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2020 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -218,11 +218,13 @@ END $Lang::tr{'email mailuser'} - + $Lang::tr{'email mailpass'} - + $Lang::tr{'email tls'} diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index bdce2fa66..fdb7c6a77 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -955,7 +955,8 @@ if ($netsettings{'BLUE_DEV'}) { } print <$Lang::tr{'advproxy visible hostname'}: - + END @@ -1074,13 +1075,15 @@ print <$Lang::tr{'proxy cachemgr'}: $Lang::tr{'advproxy admin mail'}: - + $Lang::tr{'proxy filedescriptors'}: * $Lang::tr{'proxy admin password'}: - + @@ -3976,8 +3979,14 @@ END print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n"; } - if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; } - if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; } + if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) + { + print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; + } + if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) + { + print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; + } print FILE "\n"; print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n"; @@ -3993,8 +4002,13 @@ END # login=*:password ($proxysettings{'FORWARD_USERNAME'} eq 'on') if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS')) { + $proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'}); print FILE " login=$proxysettings{'UPSTREAM_USER'}"; - if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; } + if ($proxy1 eq 'YES') + { + $proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'}); + print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; + } } elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; } diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi index 52392be08..8400bafdf 100644 --- a/html/cgi-bin/qos.cgi +++ b/html/cgi-bin/qos.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -671,6 +671,8 @@ END END ; if (($qossettings{'OUT_SPD'} ne '') && ($qossettings{'INC_SPD'} ne '')) { + $qossettings{'OUT_SPD'} = &Header::escape($qossettings{'OUT_SPD'}); + $qossettings{'INC_SPD'} = &Header::escape($qossettings{'INC_SPD'}); print < @@ -683,6 +685,8 @@ END ; } if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')) { + $qossettings{'DEFCLASS_OUT'} = &Header::escape($qossettings{'DEFCLASS_OUT'}); + $qossettings{'DEFCLASS_INC'} = &Header::escape($qossettings{'DEFCLASS_INC'}); print <
diff --git a/html/cgi-bin/time.cgi b/html/cgi-bin/time.cgi index 04c1e771f..d465354bb 100644 --- a/html/cgi-bin/time.cgi +++ b/html/cgi-bin/time.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2010 IPFire Team # +# Copyright (C) 2010-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -78,6 +78,7 @@ if ($timesettings{'ACTION'} eq $Lang::tr{'save'}) if (!($timesettings{'UPDATE_VALUE'} =~ /^\d+$/) || $timesettings{'UPDATE_VALUE'} <= 0) { $errormessage = $Lang::tr{'invalid time period'}; + $timesettings{'UPDATE_VALUE'} = 0; goto ERROR; } diff --git a/html/cgi-bin/urlfilter.cgi b/html/cgi-bin/urlfilter.cgi index 1ced06e26..2467f297c 100644 --- a/html/cgi-bin/urlfilter.cgi +++ b/html/cgi-bin/urlfilter.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2005-2010 IPFire Team # +# Copyright (C) 2005-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -576,7 +576,7 @@ if (($uqsettings{'MODE'} eq 'USERQUOTA') && ($uqsettings{'ACTION'} eq $Lang::tr{ $_ = $uqsettings{'QUOTA_USERS'}; chomp; s/\n/|/g; - my $quota_users = $_; + my $quota_users = &Header::escape($_); if ($uqsettings{'QUOTA_USERS'} =~ /\\/) { @@ -936,6 +936,11 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter install blacklist'}) && ($bes close FILE; # XXX uses globbing + if(!($besettings{'BE_NAME'} =~ /^[a-zA-Z0-9-_]+$/)) + { + $errormessage = 'Invalid blacklist name (use only alphanumeric characters plus hyphens or underscores)'; + goto ERROR; + } system("rm -f $dbdir/$besettings{'BE_NAME'}/*.db"); &General::system("/usr/bin/squidGuard", "-c", "$editdir/install.conf", "-C", "all"); # XXX uses globbing @@ -2047,6 +2052,10 @@ foreach $line (@tclist) if ($temp[7] eq 'on') { $time.=$Lang::tr{'urlfilter sun'}; } else { $time.='='; } $time=$time.'   '.$temp[8].':'.$temp[9].' to '.$temp[10].':'.$temp[11]; + $temp[12] = &Header::escape($temp[12]); + $temp[13] = &Header::escape($temp[13]); + $temp[16] = &Header::escape($temp[16]); + print <$temp[0] diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index b997ff9a7..09a63b535 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1289,6 +1289,7 @@ 'fwhost hint' => 'Hinweis', 'fwhost hosts' => 'Firewall-Hosts', 'fwhost icmptype' => 'ICMP-Typ:', +'fwhost invalid country code' => 'Ungültiger Ländercode', 'fwhost ip_mac' => 'IP/MAC-Adresse', 'fwhost ipadr' => 'IP-Adresse:', 'fwhost ipsec host' => 'IPsec-Clients:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 35e9da184..02a088600 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1341,6 +1341,7 @@ 'fwhost hint' => 'Note', 'fwhost hosts' => 'Firewall Hosts', 'fwhost icmptype' => 'ICMP type:', +'fwhost invalid country code' => 'Invalid Country Code', 'fwhost ip_mac' => 'IP/MAC address', 'fwhost ipadr' => 'IP address:', 'fwhost ipsec host' => 'IPsec clients:', hooks/post-receive -- IPFire 2.x development tree
$time