* [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 54e9e66841b8fc97dd46ba419228c3fb6d488b69
@ 2025-10-02 16:57 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2025-10-02 16:57 UTC (permalink / raw)
To: ipfire-scm
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 53486 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via 54e9e66841b8fc97dd46ba419228c3fb6d488b69 (commit)
via 6d107e8683fb816f0f63fd6022b30a277ea9d191 (commit)
via 8726b465430f59a18e3704c47d886662ca59ad22 (commit)
via b46ccb021ed46cac8690c6f16f08f813beb12f5c (commit)
via 9a4fbd0bac49ee76006f732701c6fea8d2338f8a (commit)
via 841d9dab524bfe6572471f4e14b97534e840bed1 (commit)
via 0560cc7c4d06ce05e37c397f38be05907e098601 (commit)
via 3aad228b56bd2a87d3eeca1d027197734e0fac8c (commit)
via 43ce8d752e79453e99fccb33bd8a4176bba4c670 (commit)
via 2398cc431a3fb2cd4141b6a846f0cd0742f6a97c (commit)
via ad995081302f6b28ea11c74e56306d94a7bee076 (commit)
via 0b946b848c72511922fa211b6a4db0da092d204c (commit)
via 9ceb7c7e8b3191109e7dd7c84444dce126996ee2 (commit)
via e6a0ecf248d26c72f015d082e84ecd2772823c08 (commit)
via df17d1adafb5629ecd4d80634002028d7ab4cf58 (commit)
via a31550706f590193f63f2a9c57c943a9ab572642 (commit)
via c431d86ab882f1305f831a37c04491a7ae771e28 (commit)
via fc3f7f4a179b26b6ef255a3ab46b6fe6faf208c9 (commit)
via 7dca07fdcf018320bc10eb4d5fcd019dd1a7029a (commit)
via 32f22c92e19c2d94c5f0b667f27e7a5ccd65ac61 (commit)
via 67db35c8a536b54d169336269853aaa6eae85ab5 (commit)
via 8025aa78fb52933666e13a7e9e782edf4ddf8b42 (commit)
via 8d78fb4b816e032738b08e724d51c200364e5037 (commit)
via dd6d272b6828e443478d2e6e40c1ce19d54f3c2a (commit)
via f04e5fb1c91582d2bfbcdcebfe2aa9a47a5edb43 (commit)
via 0400a1009439d0ffeddb1e449c8bd656341f5f44 (commit)
via eb257423df48f233312d06b2a7cd48cf5dfd21fd (commit)
via a2c624b99dbcecb469e6001505731049ef5cbbd3 (commit)
from 9150cbddeb913ce093f2f7e0669e4a8ab3265bb0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 54e9e66841b8fc97dd46ba419228c3fb6d488b69
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Oct 2 16:57:10 2025 +0000
core198: Ship header.pl
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 6d107e8683fb816f0f63fd6022b30a277ea9d191
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Oct 2 13:10:15 2025 +0200
firewall.cgi: Fixes XSS potential
- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
free rulenumber digit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 8726b465430f59a18e3704c47d886662ca59ad22
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Oct 2 13:10:14 2025 +0200
dns.cgi: Fix for XSS potential
- Related to CVE-2025-50976
- Fixes NAMESERVER & REMARK
- TLS_HOSTNAME was already fixed in a previous patch
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit b46ccb021ed46cac8690c6f16f08f813beb12f5c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:32:51 2025 +0200
proxy.cgi: Escape parameters in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9a4fbd0bac49ee76006f732701c6fea8d2338f8a
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:29:35 2025 +0200
dns.cgi: Validate the TLS hostname irregardless of TLS being used
That way, we won't have to perform escaping later on and can rely on
having a valid value.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 841d9dab524bfe6572471f4e14b97534e840bed1
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:19:59 2025 +0200
mail.cgi: Escape username/password in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 0560cc7c4d06ce05e37c397f38be05907e098601
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:12:20 2025 +0200
firewalllogcountry.dat: Escape pienumber in the correct place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 3aad228b56bd2a87d3eeca1d027197734e0fac8c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:10:56 2025 +0200
firewalllogip.dat: Escape pienumber in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 43ce8d752e79453e99fccb33bd8a4176bba4c670
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:07:36 2025 +0200
ids.cgi: Escape the remark before sending it back to the browser
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 2398cc431a3fb2cd4141b6a846f0cd0742f6a97c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:05:32 2025 +0200
fwhosts.cgi: Escape PROT in the right place
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit ad995081302f6b28ea11c74e56306d94a7bee076
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 17:02:18 2025 +0200
fwhosts.cgi: Check country code before proceeding
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 0b946b848c72511922fa211b6a4db0da092d204c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Thu Sep 25 16:37:27 2025 +0200
ddns.cgi: Escape the variables when they are being sent back to the browser
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 9ceb7c7e8b3191109e7dd7c84444dce126996ee2
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:52 2025 +0200
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit e6a0ecf248d26c72f015d082e84ecd2772823c08
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:51 2025 +0200
proxy.cgi: Fixes bug 13893
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit df17d1adafb5629ecd4d80634002028d7ab4cf58
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:50 2025 +0200
dns.cgi: Fixes bug 13892
Fixes: bug 13892 - dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit a31550706f590193f63f2a9c57c943a9ab572642
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:49 2025 +0200
mail.cgi: Fixes bug 13891
Fixes: bug 13891 - mail.cgi txt_mailuser txt_mailpass Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit c431d86ab882f1305f831a37c04491a7ae771e28
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:48 2025 +0200
config.dat: Fixes bug 13890
Fixes: bug 13890 - config.dat REMOTELOG_ADDR Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit fc3f7f4a179b26b6ef255a3ab46b6fe6faf208c9
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:47 2025 +0200
urlfilter.cgi: Fixes bugs 13887, 13888 & 13889
Fixes: bug 13887 - urlfilter.cgi BE_NAME Command Injection
Fixes: bug 13888 - urlfilter.cgi USERQUOTA QUOTA_USERS Stored Cross-Site Scripting
Fixes: bug 13889 - urlfilter.cgi TIMECONSTRAINT SRC DST COMMENT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 7dca07fdcf018320bc10eb4d5fcd019dd1a7029a
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:46 2025 +0200
calamaris.dat: Fixes bug 13886
Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 32f22c92e19c2d94c5f0b667f27e7a5ccd65ac61
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:45 2025 +0200
qos.cgi: Fixes bug 13885
Fixes: bug 13885 - qos.cgi INC_SPD OUT_SPD DEFCLASS_INC DEFCLASS_OUT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 67db35c8a536b54d169336269853aaa6eae85ab5
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:44 2025 +0200
ddns.cgi: Fixes bug 13884
Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 8025aa78fb52933666e13a7e9e782edf4ddf8b42
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:43 2025 +0200
time.cgi: Fixes bug 13883
Fixes: bug 13883 - time.cgi UPDATE_VALUE Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 8d78fb4b816e032738b08e724d51c200364e5037
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:42 2025 +0200
firewalllogcountry.dat: Fixes bug 13882
Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit dd6d272b6828e443478d2e6e40c1ce19d54f3c2a
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:41 2025 +0200
firewalllogip.dat: Fixes bug 13881
Fixes: bug 13881 - firewalllogip.dat pienumber Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit f04e5fb1c91582d2bfbcdcebfe2aa9a47a5edb43
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:40 2025 +0200
header.pl: Fixes bug 13880
Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 0400a1009439d0ffeddb1e449c8bd656341f5f44
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:39 2025 +0200
ovpnclients.dat: Fixes bug 13879
Fixes: bug 13879 - CONNECTION_NAME SQL Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit eb257423df48f233312d06b2a7cd48cf5dfd21fd
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:38 2025 +0200
ids.cgi: Fixes bug 13878
Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit a2c624b99dbcecb469e6001505731049ef5cbbd3
Author: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu Sep 25 13:12:37 2025 +0200
fwhosts.cgi Fix for bug 13876 & bug 13877
Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/general-functions.pl | 8 +++++++
config/cfgroot/header.pl | 2 +-
config/rootfiles/core/198/filelists/files | 1 +
doc/language_issues.en | 1 +
doc/language_issues.es | 1 +
doc/language_issues.fr | 1 +
doc/language_issues.it | 1 +
doc/language_issues.nl | 1 +
doc/language_issues.pl | 1 +
doc/language_issues.ru | 1 +
doc/language_issues.tr | 1 +
doc/language_issues.tw | 1 +
doc/language_issues.zh | 1 +
doc/language_missings | 9 ++++++++
html/cgi-bin/ddns.cgi | 8 ++++---
html/cgi-bin/dns.cgi | 22 ++++++++++---------
html/cgi-bin/firewall.cgi | 3 ++-
html/cgi-bin/fwhosts.cgi | 10 ++++++---
html/cgi-bin/ids.cgi | 5 +++--
html/cgi-bin/logs.cgi/calamaris.dat | 4 ++++
html/cgi-bin/logs.cgi/config.dat | 29 +++++++++++++++++--------
html/cgi-bin/logs.cgi/firewalllogcountry.dat | 32 ++++++++++++++++++----------
html/cgi-bin/logs.cgi/firewalllogip.dat | 32 ++++++++++++++++++----------
html/cgi-bin/logs.cgi/ovpnclients.dat | 4 ++--
html/cgi-bin/mail.cgi | 8 ++++---
html/cgi-bin/proxy.cgi | 26 ++++++++++++++++------
html/cgi-bin/qos.cgi | 6 +++++-
html/cgi-bin/time.cgi | 3 ++-
html/cgi-bin/urlfilter.cgi | 13 +++++++++--
langs/de/cgi-bin/de.pl | 1 +
langs/en/cgi-bin/en.pl | 1 +
31 files changed, 171 insertions(+), 66 deletions(-)
Difference in files:
diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl
index 33b5605e2..94d0e7440 100644
--- a/config/cfgroot/general-functions.pl
+++ b/config/cfgroot/general-functions.pl
@@ -864,6 +864,14 @@ sub validportrange # used to check a port range
}
}
+# Checks for a valid country code
+sub validcc($) {
+ my $cc = shift;
+
+ # Must contain of exactly two uppercase characters, or must be A1, A2, or A3
+ return ($cc =~ m/^([A-Z]{2}|A[123])$/);
+}
+
sub IpInSubnet {
my $addr = shift;
my $network = shift;
diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index 9492b467d..6e65f4137 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -647,7 +647,7 @@ sub cleanhtml {
# decode the UTF-8 text so that characters with diacritical marks such as
# umlauts are treated correctly by the escape command
$outstring = &Encode::decode("UTF-8",$outstring);
- escape($outstring);
+ $outstring = escape($outstring);
# encode the text back to UTF-8 after running the escape command
$outstring = &Encode::encode("UTF-8",$outstring);
return $outstring;
diff --git a/config/rootfiles/core/198/filelists/files b/config/rootfiles/core/198/filelists/files
index 44d8182e9..adf18e482 100644
--- a/config/rootfiles/core/198/filelists/files
+++ b/config/rootfiles/core/198/filelists/files
@@ -1,4 +1,5 @@
etc/rc.d/init.d/cleanfs
etc/rc.d/init.d/suricata
var/ipfire/graphs.pl
+var/ipfire/header.pl
var/ipfire/ids-functions.pl
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 6dfada328..fe7a17f1f 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -942,6 +942,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists
WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host
WARNING: untranslated string: fwhost hint = Note
WARNING: untranslated string: fwhost icmptype = ICMP type:
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost ip_mac = IP/MAC address
WARNING: untranslated string: fwhost ipsec net = IPsec networks:
WARNING: untranslated string: fwhost menu = Firewall Groups
diff --git a/doc/language_issues.es b/doc/language_issues.es
index cadfaf5d6..f0a6e31ba 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -1028,6 +1028,7 @@ WARNING: untranslated string: error message = unknown string
WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian block httpd brute-force = unknown string
WARNING: untranslated string: guardian block ssh brute-force = unknown string
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index a03241bce..ce55b88ba 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -1014,6 +1014,7 @@ WARNING: untranslated string: extrahd because it is outside the allowed mount pa
WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost wg peers = WireGuard Peers
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian block httpd brute-force = unknown string
diff --git a/doc/language_issues.it b/doc/language_issues.it
index d5fdcd55e..ee5135003 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -1116,6 +1116,7 @@ WARNING: untranslated string: fwhost cust location = Location Groups
WARNING: untranslated string: fwhost cust locationgroup = Location Groups
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost newlocationgrp = Location Groups
WARNING: untranslated string: fwhost wg peers = WireGuard Peers
WARNING: untranslated string: generate ptr = Generate PTR
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 72af4fba5..415041191 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -1123,6 +1123,7 @@ WARNING: untranslated string: fwhost cust location = Location Groups
WARNING: untranslated string: fwhost cust locationgroup = Location Groups
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost newlocationgrp = Location Groups
WARNING: untranslated string: fwhost wg peers = WireGuard Peers
WARNING: untranslated string: generate ptr = Generate PTR
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index c89dd9966..c951b39ce 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1223,6 +1223,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists
WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host
WARNING: untranslated string: fwhost hint = Note
WARNING: untranslated string: fwhost icmptype = ICMP type:
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost ip_mac = IP/MAC address
WARNING: untranslated string: fwhost ipsec net = IPsec networks:
WARNING: untranslated string: fwhost menu = Firewall Groups
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 2377115ab..738de8fee 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -1221,6 +1221,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists
WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host
WARNING: untranslated string: fwhost hint = Note
WARNING: untranslated string: fwhost icmptype = ICMP type:
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost ip_mac = IP/MAC address
WARNING: untranslated string: fwhost ipsec net = IPsec networks:
WARNING: untranslated string: fwhost menu = Firewall Groups
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index dfabd029e..cb13bc21f 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -1063,6 +1063,7 @@ WARNING: untranslated string: fwdfw all subnets = All subnets
WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only)
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: fwhost wg peers = WireGuard Peers
WARNING: untranslated string: generate ptr = Generate PTR
WARNING: untranslated string: guardian block a host = unknown string
diff --git a/doc/language_issues.tw b/doc/language_issues.tw
index 2745a25ba..5a9f61b2c 100644
--- a/doc/language_issues.tw
+++ b/doc/language_issues.tw
@@ -1036,6 +1036,7 @@ WARNING: untranslated string: error message = unknown string
WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: guaranteed bandwidth = Guaranteed bandwidth
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian block httpd brute-force = unknown string
diff --git a/doc/language_issues.zh b/doc/language_issues.zh
index 2745a25ba..5a9f61b2c 100644
--- a/doc/language_issues.zh
+++ b/doc/language_issues.zh
@@ -1036,6 +1036,7 @@ WARNING: untranslated string: error message = unknown string
WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string
WARNING: untranslated string: fwhost cust locationgrp = unknown string
WARNING: untranslated string: fwhost err hostip = unknown string
+WARNING: untranslated string: fwhost invalid country code = Invalid Country Code
WARNING: untranslated string: guaranteed bandwidth = Guaranteed bandwidth
WARNING: untranslated string: guardian block a host = unknown string
WARNING: untranslated string: guardian block httpd brute-force = unknown string
diff --git a/doc/language_missings b/doc/language_missings
index 03c286f5a..b042081eb 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -156,6 +156,7 @@
< AES-256-GCM
< CHACHA20-POLY1305
< dns servers
+< fwhost invalid country code
< ids all including informational
< ids email alerts
< ids email alert severity
@@ -218,6 +219,7 @@
< endpoint port
< extrahd because it it outside the allowed mount path
< fwdfw syn flood protection
+< fwhost invalid country code
< fwhost wg peers
< g.dtm
< g.lite
@@ -570,6 +572,7 @@
< fwhost cust location
< fwhost cust locationgroup
< fwhost cust locationlocation
+< fwhost invalid country code
< fwhost newlocationgrp
< fwhost wg peers
< fw red
@@ -1230,6 +1233,7 @@
< fwhost cust location
< fwhost cust locationgroup
< fwhost cust locationlocation
+< fwhost invalid country code
< fwhost newlocationgrp
< fwhost wg peers
< fw red
@@ -2154,6 +2158,7 @@
< fwhost hint
< fwhost hosts
< fwhost icmptype
+< fwhost invalid country code
< fwhost ipadr
< fwhost ip_mac
< fwhost ipsec host
@@ -3282,6 +3287,7 @@
< fwhost hint
< fwhost hosts
< fwhost icmptype
+< fwhost invalid country code
< fwhost ipadr
< fwhost ip_mac
< fwhost ipsec host
@@ -4045,6 +4051,7 @@
< foreshadow
< fwdfw all subnets
< fwdfw syn flood protection
+< fwhost invalid country code
< fwhost wg peers
< fw red
< generate ptr
@@ -4399,6 +4406,7 @@
< Captive wrong type
< CHACHA20-POLY1305
< dns servers
+< fwhost invalid country code
< guaranteed bandwidth
< ids all including informational
< ids email alerts
@@ -4462,6 +4470,7 @@
< Captive wrong type
< CHACHA20-POLY1305
< dns servers
+< fwhost invalid country code
< guaranteed bandwidth
< ids all including informational
< ids email alerts
diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi
index 34475b75c..8c2600500 100644
--- a/html/cgi-bin/ddns.cgi
+++ b/html/cgi-bin/ddns.cgi
@@ -524,17 +524,19 @@ print <<END
<td><input type='checkbox' name='ENABLED' $checked{'ENABLED'}{'on'} /></td>
<td class='username'>$Lang::tr{'username'}</td>
- <td class='username'><input type='text' name='LOGIN' value='$settings{'LOGIN'}' /></td>
+ <td class='username'><input type='text' name='LOGIN'
+ value='@{[ &Header::escape($settings{'LOGIN'}) ]}' /></td>
<td class='token' style='display:none'>$Lang::tr{'token'}</td>
- <td class='token' style='display:none'><input type='text' name='TOKEN' value='$settings{'TOKEN'}' /></td>
+ <td class='token' style='display:none'><input type='text' name='TOKEN'
+ value='@{[ &Header::escape($settings{'TOKEN'}) ]}' /></td>
</tr>
<tr class='password'>
<td class='base'></td>
<td></td>
<td class='base'>$Lang::tr{'password'}</td>
- <td><input type='password' name='PASSWORD' value='$settings{'PASSWORD'}' /></td>
+ <td><input type='password' name='PASSWORD' value='@{[ &Header::escape($settings{'PASSWORD'}) ]}' /></td>
</tr>
</table>
<br>
diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi
index 0d3b14797..29a46d4b6 100644
--- a/html/cgi-bin/dns.cgi
+++ b/html/cgi-bin/dns.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2005-2024 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2005-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -127,15 +127,17 @@ if (($cgiparams{'SERVERS'} eq $Lang::tr{'save'}) || ($cgiparams{'SERVERS'} eq $L
$errormessage = "$Lang::tr{'invalid ip'}: $cgiparams{'NAMESERVER'}";
}
+ # Check if the provided hostname is valid
+ if ($cgiparams{'TLS_HOSTNAME'} ne "") {
+ unless (&General::validfqdn($cgiparams{"TLS_HOSTNAME"})) {
+ $errormessage = "$Lang::tr{'invalid ip or hostname'}: " . &Header::escape($cgiparams{'TLS_HOSTNAME'});
+ }
+ }
+
# Check if a TLS is enabled and no TLS_HOSTNAME has benn specified.
- elsif($settings{'PROTO'} eq "TLS") {
- unless($cgiparams{"TLS_HOSTNAME"}) {
+ if ($settings{'PROTO'} eq "TLS") {
+ unless ($cgiparams{"TLS_HOSTNAME"}) {
$errormessage = "$Lang::tr{'dns no tls hostname given'}";
- } else {
- # Check if the provided domain is valid.
- unless(&General::validfqdn($cgiparams{"TLS_HOSTNAME"})) {
- $errormessage = "$Lang::tr{'invalid ip or hostname'}: $cgiparams{'TLS_HOSTNAME'}";
- }
}
}
@@ -773,9 +775,9 @@ sub show_add_edit_nameserver() {
# Check if an ID has been given.
if ($cgiparams{'ID'}) {
# Assign cgiparams values.
- $cgiparams{'NAMESERVER'} = $dns_servers{$cgiparams{'ID'}}[0];
+ $cgiparams{'NAMESERVER'} = &Header::escape($dns_servers{$cgiparams{'ID'}}[0]);
$cgiparams{'TLS_HOSTNAME'} = $dns_servers{$cgiparams{'ID'}}[1];
- $cgiparams{'REMARK'} = $dns_servers{$cgiparams{'ID'}}[3];
+ $cgiparams{'REMARK'} = $Header::escape($dns_servers{$cgiparams{'ID'}}[3]);
}
} else {
&Header::openbox('100%', 'left', $Lang::tr{'dnsforward add a new entry'});
diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index 5f1eac09e..20e6a95e4 100644
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
+# Copyright (C) 2013-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -2351,6 +2351,7 @@ sub saverule
$fwdfwsettings{'ruleremark'}=~ s/,/;/g;
utf8::decode($fwdfwsettings{'ruleremark'});
$fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'});
+ $fwdfwsettings{'PROT'}=&Header::escape($fwdfwsettings{'PROT'});
if ($fwdfwsettings{'updatefwrule'} ne 'on'){
my $key = &General::findhasharraykey ($hash);
$$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};
diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 953f81e5f..dca425b69 100644
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org> #
+# Copyright (C) 2013-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -703,6 +703,10 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
# Check name
if (!&validhostname($grp)){$errormessage.=$Lang::tr{'fwhost err name'};}
+ unless (&General::validcc($fwhostsettings{'COUNTRY_CODE'})) {
+ $errormessage = $Lang::tr{'fwhost invalid country code'};
+ }
+
# Check for existing group name.
if (!&checkgroup($grp) && $fwhostsettings{'update'} ne 'on'){
$errormessage = $Lang::tr{'fwhost err grpexist'};
@@ -714,7 +718,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
}
if ($fwhostsettings{'update'} eq 'on'){
- @target=$fwhostsettings{'COUNTRY_CODE'};
+ @target = $fwhostsettings{'COUNTRY_CODE'};
$type='Location Group';
#check if host/net exists in grp
@@ -1779,7 +1783,7 @@ sub addservice
{
$fwhostsettings{'oldsrvname'} = $fwhostsettings{'SRV_NAME'};
$fwhostsettings{'oldsrvport'} = $fwhostsettings{'SRV_PORT'};
- $fwhostsettings{'oldsrvprot'} = $fwhostsettings{'PROT'};
+ $fwhostsettings{'oldsrvprot'} = &Header::escape($fwhostsettings{'PROT'});
$fwhostsettings{'oldsrvicmp'} = $fwhostsettings{'ICMP'};
}
print<<END;
diff --git a/html/cgi-bin/ids.cgi b/html/cgi-bin/ids.cgi
index 994872564..9685b37d0 100644
--- a/html/cgi-bin/ids.cgi
+++ b/html/cgi-bin/ids.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -1525,7 +1525,8 @@ print <<END;
<tr>
<td>$Lang::tr{'remark'}</td>
<td>
- <input type='text' name=IGNORE_ENTRY_REMARK value='$entry_remark' size='24' />
+ <input type='text' name=IGNORE_ENTRY_REMARK
+ value='@{[ &Header::escape($entry_remark) ]}' size='24' />
</td>
</tr>
diff --git a/html/cgi-bin/logs.cgi/calamaris.dat b/html/cgi-bin/logs.cgi/calamaris.dat
index dcc812e47..1c8e4b68e 100644
--- a/html/cgi-bin/logs.cgi/calamaris.dat
+++ b/html/cgi-bin/logs.cgi/calamaris.dat
@@ -170,6 +170,10 @@ if ($reportsettings{'ACTION'} eq $Lang::tr{'calamaris create report'})
if ($reportsettings{'RUN_BACKGROUND'} eq 'on') { $commandline.=" &"; }
+ if (!($commandline =~ /^[a-zA-Z0-9-\s]+$/))
+ {
+ die "Invalid input in\"$commandline\"";
+ }
system("${General::swroot}/proxy/calamaris/bin/mkreport $commandline")
}
diff --git a/html/cgi-bin/logs.cgi/config.dat b/html/cgi-bin/logs.cgi/config.dat
index aed0db9cf..e4b173ffb 100644
--- a/html/cgi-bin/logs.cgi/config.dat
+++ b/html/cgi-bin/logs.cgi/config.dat
@@ -1,13 +1,23 @@
#!/usr/bin/perl
-#
-# IPFire CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# (c) The IPFire Team
-#
-# $Id: config.dat,v 1.2.2.10 2005/06/14 12:32:07 eoberlander Exp $
-#
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
use strict;
@@ -143,6 +153,7 @@ END
&Header::closebox();
&Header::openbox('100%', 'left', $Lang::tr{'remote logging'});
+$logsettings{'REMOTELOG_ADDR'} = &Header::escape($logsettings{'REMOTELOG_ADDR'});
print <<END
<table width='100%'>
<tr>
diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
index 4e998a567..7b574092c 100644
--- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat
+++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
@@ -1,14 +1,23 @@
#!/usr/bin/perl
-#
-# SmoothWall CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# JC HERITIER
-# page inspired from the initial firewalllog.dat
-#
-# Modified for IPFire by Christian Schmidt
-# and Michael Tremer (www.ipfire.org)
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
use strict;
use Getopt::Std;
@@ -270,7 +279,8 @@ print <<END
</tr>
<tr>
<td colspan='3' align='left' valign="left">$Lang::tr{'Number of Countries for the pie chart'}:</td>
- <td colspan='3' align='left' valign="center"><input type='text' name='pienumber' value='$pienumber' size='4'></td>
+ <td colspan='3' align='left' valign="center"><input type='text' name='pienumber'
+ value='@{[ &Header::escape($pienumber) ]}' size='4'></td>
<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
</tr>
</table>
diff --git a/html/cgi-bin/logs.cgi/firewalllogip.dat b/html/cgi-bin/logs.cgi/firewalllogip.dat
index a7c6e5f80..03584a9f2 100644
--- a/html/cgi-bin/logs.cgi/firewalllogip.dat
+++ b/html/cgi-bin/logs.cgi/firewalllogip.dat
@@ -1,14 +1,23 @@
#!/usr/bin/perl
-#
-# SmoothWall CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# JC HERITIER
-# page inspired from the initial firewalllog.dat
-#
-# Modified for IPFire by Christian Schmidt
-# and Michael Tremer (www.ipfire.org)
+###############################################################################
+# #
+# IPFire.org - A linux based firewall #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
+# #
+# This program is free software: you can redistribute it and/or modify #
+# it under the terms of the GNU General Public License as published by #
+# the Free Software Foundation, either version 3 of the License, or #
+# (at your option) any later version. #
+# #
+# This program is distributed in the hope that it will be useful, #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
+# GNU General Public License for more details. #
+# #
+# You should have received a copy of the GNU General Public License #
+# along with this program. If not, see <http://www.gnu.org/licenses/>. #
+# #
+###############################################################################
use strict;
use Getopt::Std;
@@ -272,7 +281,8 @@ print <<END
</tr>
<tr>
<td colspan='3' align='left' valign="left">$Lang::tr{'Number of IPs for the pie chart'}:</td>
- <td colspan='3' align='left' valign="center"><input type='text' name='pienumber' value='$pienumber' size='4'></td>
+ <td colspan='3' align='left' valign="center"><input type='text' name='pienumber'
+ value='@{[ &Header::escape($pienumber) ]}' size='4'></td>
<td align='right'><input type='submit' name='ACTION' value='$Lang::tr{'save'}' /></td>
</tr>
</table>
diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
index 8fbf4f8fa..5e6baef3c 100644
--- a/html/cgi-bin/logs.cgi/ovpnclients.dat
+++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2020 - 2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -141,7 +141,7 @@ my $database_query = qq(
ORDER BY common_name, duration DESC;
);
-if ($cgiparams{'CONNECTION_NAME'}) {
+if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) {
$database_query = qq(
SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent,
STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions
diff --git a/html/cgi-bin/mail.cgi b/html/cgi-bin/mail.cgi
index 0ed3dfeca..6c024974d 100644
--- a/html/cgi-bin/mail.cgi
+++ b/html/cgi-bin/mail.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -218,11 +218,13 @@ END
</tr>
<tr>
<td>$Lang::tr{'email mailuser'}</td>
- <td><input type='text' name='txt_mailuser' value='$auth{'AUTHNAME'}' style='width:22em;'></td>
+ <td><input type='text' name='txt_mailuser'
+ value='@{[ &Header::escape($auth{'AUTHNAME'}) ]}' style='width:22em;'></td>
</tr>
<tr>
<td>$Lang::tr{'email mailpass'}</td>
- <td><input type='password' name='txt_mailpass' value='$auth{'AUTHPASS'}' style='width:22em;' ></td>
+ <td><input type='password' name='txt_mailpass'
+ value='@{[ &Header::escape($auth{'AUTHPASS'}) ]}' style='width:22em;' ></td>
</tr>
<tr>
<td>$Lang::tr{'email tls'}</td>
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index bdce2fa66..fdb7c6a77 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -955,7 +955,8 @@ if ($netsettings{'BLUE_DEV'}) {
}
print <<END
<td class='base'>$Lang::tr{'advproxy visible hostname'}:</td>
- <td><input type='text' name='VISIBLE_HOSTNAME' value='$proxysettings{'VISIBLE_HOSTNAME'}' /></td>
+ <td><input type='text' name='VISIBLE_HOSTNAME'
+ value='@{[ &Header::escape($proxysettings{'VISIBLE_HOSTNAME'}) ]}' /></td>
</tr>
<tr>
END
@@ -1074,13 +1075,15 @@ print <<END
<td class='base'><a href='/cgi-bin/cachemgr.cgi' target='_blank'>$Lang::tr{'proxy cachemgr'}:</td>
<td><input type='checkbox' name='CACHEMGR' $checked{'CACHEMGR'}{'on'} /></td>
<td class='base'>$Lang::tr{'advproxy admin mail'}:</td>
- <td><input type='text' name='ADMIN_MAIL_ADDRESS' value='$proxysettings{'ADMIN_MAIL_ADDRESS'}' /></td>
+ <td><input type='text' name='ADMIN_MAIL_ADDRESS'
+ value='@{[ &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'}) ]}' /></td>
</tr>
<tr>
<td class='base'>$Lang::tr{'proxy filedescriptors'}: <img src='/blob.gif' alt='*' /></td>
<td><input type='text' name='FILEDESCRIPTORS' value='$proxysettings{'FILEDESCRIPTORS'}' size='5' /></td>
<td class='base'>$Lang::tr{'proxy admin password'}:</td>
- <td><input type='text' name='ADMIN_PASSWORD' value='$proxysettings{'ADMIN_PASSWORD'}' /></td>
+ <td><input type='text' name='ADMIN_PASSWORD'
+ value='@{[ &Header::escape($proxysettings{'ADMIN_PASSWORD'}) ]}' /></td>
</tr>
<tr>
<td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
@@ -3976,8 +3979,14 @@ END
print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
}
- if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; }
- if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; }
+ if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq ''))
+ {
+ print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n";
+ }
+ if (!($proxysettings{'ADMIN_PASSWORD'} eq ''))
+ {
+ print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n";
+ }
print FILE "\n";
print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n";
@@ -3993,8 +4002,13 @@ END
# login=*:password ($proxysettings{'FORWARD_USERNAME'} eq 'on')
if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS'))
{
+ $proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'});
print FILE " login=$proxysettings{'UPSTREAM_USER'}";
- if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; }
+ if ($proxy1 eq 'YES')
+ {
+ $proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'});
+ print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}";
+ }
}
elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; }
diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi
index 52392be08..8400bafdf 100644
--- a/html/cgi-bin/qos.cgi
+++ b/html/cgi-bin/qos.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -671,6 +671,8 @@ END
END
;
if (($qossettings{'OUT_SPD'} ne '') && ($qossettings{'INC_SPD'} ne '')) {
+ $qossettings{'OUT_SPD'} = &Header::escape($qossettings{'OUT_SPD'});
+ $qossettings{'INC_SPD'} = &Header::escape($qossettings{'INC_SPD'});
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
@@ -683,6 +685,8 @@ END
;
}
if (($qossettings{'DEFCLASS_OUT'} ne '') && ($qossettings{'DEFCLASS_INC'} ne '')) {
+ $qossettings{'DEFCLASS_OUT'} = &Header::escape($qossettings{'DEFCLASS_OUT'});
+ $qossettings{'DEFCLASS_INC'} = &Header::escape($qossettings{'DEFCLASS_INC'});
print <<END
<form method='post' action='$ENV{'SCRIPT_NAME'}'>
<table width='100%'>
diff --git a/html/cgi-bin/time.cgi b/html/cgi-bin/time.cgi
index 04c1e771f..d465354bb 100644
--- a/html/cgi-bin/time.cgi
+++ b/html/cgi-bin/time.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2010 IPFire Team #
+# Copyright (C) 2010-2025 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -78,6 +78,7 @@ if ($timesettings{'ACTION'} eq $Lang::tr{'save'})
if (!($timesettings{'UPDATE_VALUE'} =~ /^\d+$/) || $timesettings{'UPDATE_VALUE'} <= 0)
{
$errormessage = $Lang::tr{'invalid time period'};
+ $timesettings{'UPDATE_VALUE'} = 0;
goto ERROR;
}
diff --git a/html/cgi-bin/urlfilter.cgi b/html/cgi-bin/urlfilter.cgi
index 1ced06e26..2467f297c 100644
--- a/html/cgi-bin/urlfilter.cgi
+++ b/html/cgi-bin/urlfilter.cgi
@@ -2,7 +2,7 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2005-2010 IPFire Team #
+# Copyright (C) 2005-2025 IPFire Team #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
@@ -576,7 +576,7 @@ if (($uqsettings{'MODE'} eq 'USERQUOTA') && ($uqsettings{'ACTION'} eq $Lang::tr{
$_ = $uqsettings{'QUOTA_USERS'};
chomp; s/\n/|/g;
- my $quota_users = $_;
+ my $quota_users = &Header::escape($_);
if ($uqsettings{'QUOTA_USERS'} =~ /\\/)
{
@@ -936,6 +936,11 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter install blacklist'}) && ($bes
close FILE;
# XXX uses globbing
+ if(!($besettings{'BE_NAME'} =~ /^[a-zA-Z0-9-_]+$/))
+ {
+ $errormessage = 'Invalid blacklist name (use only alphanumeric characters plus hyphens or underscores)';
+ goto ERROR;
+ }
system("rm -f $dbdir/$besettings{'BE_NAME'}/*.db");
&General::system("/usr/bin/squidGuard", "-c", "$editdir/install.conf", "-C", "all");
# XXX uses globbing
@@ -2047,6 +2052,10 @@ foreach $line (@tclist)
if ($temp[7] eq 'on') { $time.=$Lang::tr{'urlfilter sun'}; } else { $time.='='; }
$time=$time.' '.$temp[8].':'.$temp[9].' to '.$temp[10].':'.$temp[11];
+ $temp[12] = &Header::escape($temp[12]);
+ $temp[13] = &Header::escape($temp[13]);
+ $temp[16] = &Header::escape($temp[16]);
+
print <<END
<td align='center'>$temp[0]</td>
<td align='center' nowrap>$time</td>
diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl
index b997ff9a7..09a63b535 100644
--- a/langs/de/cgi-bin/de.pl
+++ b/langs/de/cgi-bin/de.pl
@@ -1289,6 +1289,7 @@
'fwhost hint' => 'Hinweis',
'fwhost hosts' => 'Firewall-Hosts',
'fwhost icmptype' => 'ICMP-Typ:',
+'fwhost invalid country code' => 'Ungültiger Ländercode',
'fwhost ip_mac' => 'IP/MAC-Adresse',
'fwhost ipadr' => 'IP-Adresse:',
'fwhost ipsec host' => 'IPsec-Clients:',
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 35e9da184..02a088600 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1341,6 +1341,7 @@
'fwhost hint' => 'Note',
'fwhost hosts' => 'Firewall Hosts',
'fwhost icmptype' => 'ICMP type:',
+'fwhost invalid country code' => 'Invalid Country Code',
'fwhost ip_mac' => 'IP/MAC address',
'fwhost ipadr' => 'IP address:',
'fwhost ipsec host' => 'IPsec clients:',
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2025-10-02 16:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-10-02 16:57 [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 54e9e66841b8fc97dd46ba419228c3fb6d488b69 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox