github/vesta
1
0
Fork 0
mirror of https://github.com/serghey-rodin/vesta.git synced 2025-08-14 10:37:39 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions

Revert "[SECURITY] Fix OS command injection."

Browse source
This commit is contained in:
Serghey Rodin 2015-12-11 21:14:49 +02:00
commit 39e9b6397b
115 changed files with 1980 additions and 1340 deletions
Download patch file Download diff file Expand all files Collapse all files

39
web/edit/firewall/index.php
View file

@ -20,13 +20,15 @@ if (empty($_GET['rule'])) {
exit;
}
$v_rule = $_GET['rule'];
// List rule
v_exec('v-list-firewall-rule', [$v_rule, 'json'], true, $output);
$data = json_decode($output, true);
$v_rule = escapeshellarg($_GET['rule']);
exec (VESTA_CMD."v-list-firewall-rule ".$v_rule." 'json'", $output, $return_var);
check_return_code($return_var,$output);
$data = json_decode(implode('', $output), true);
unset($output);
// Parse rule
$v_rule = $_GET['rule'];
$v_action = $data[$v_rule]['ACTION'];
$v_protocol = $data[$v_rule]['PROTOCOL'];
$v_port = $data[$v_rule]['PORT'];
@ -35,17 +37,37 @@ $v_comment = $data[$v_rule]['COMMENT'];
$v_date = $data[$v_rule]['DATE'];
$v_time = $data[$v_rule]['TIME'];
$v_suspended = $data[$v_rule]['SUSPENDED'];
$v_status = $v_suspended == 'yes' ? 'suspended' : 'active';
if ( $v_suspended == 'yes' ) {
$v_status = 'suspended';
} else {
$v_status = 'active';
}
// Check POST request
if (!empty($_POST['save'])) {
// Check token
if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
header('location: /login/');
exit;
exit();
}
$v_rule = $_GET['rule'];
$v_rule = escapeshellarg($_GET['rule']);
$v_action = escapeshellarg($_POST['v_action']);
$v_protocol = escapeshellarg($_POST['v_protocol']);
$v_port = str_replace(" ",",", $_POST['v_port']);
$v_port = preg_replace('/\,+/', ',', $v_port);
$v_port = trim($v_port, ",");
$v_port = escapeshellarg($v_port);
$v_ip = escapeshellarg($_POST['v_ip']);
$v_comment = escapeshellarg($_POST['v_comment']);
// Change Status
exec (VESTA_CMD."v-change-firewall-rule ".$v_rule." ".$v_action." ".$v_ip." ".$v_port." ".$v_protocol." ".$v_comment, $output, $return_var);
check_return_code($return_var,$output);
unset($output);
$v_rule = $_GET['v_rule'];
$v_action = $_POST['v_action'];
$v_protocol = $_POST['v_protocol'];
$v_port = str_replace(" ",",", $_POST['v_port']);
@ -54,9 +76,6 @@ if (!empty($_POST['save'])) {
$v_ip = $_POST['v_ip'];
$v_comment = $_POST['v_comment'];
// Change Status
v_exec('v-change-firewall-rule', [$v_rule, $v_action, $v_ip, $v_port, $v_protocol, $v_comment]);
// Set success message
if (empty($_SESSION['error_msg'])) {
$_SESSION['ok_msg'] = __('Changes has been saved.');