input validation for configuration web interface

This commit is contained in:
lars 2005-07-24 14:18:53 +00:00
parent 9076334829
commit e1dd6180a2
3 changed files with 71 additions and 15 deletions

View file

@ -47,7 +47,9 @@ case "$ACTION" in
cd "`dirname \"$MIRROR_ORIG_DIR\"`"
# diff and remove "binary files differ"-warnings (vi-swap-files)
# ignore generated reports
diff -ruN --exclude=report "`basename \"$MIRROR_ORIG_DIR\"`" "`basename \"$MIRROR_DIR\"`" | grep -v "^Binary files"
# ignore cryptobox.pl and index.html, as those are the same as
# /var/www/cryptobox (symbilic links)
diff -ruN --exclude=report --exclude=cryptobox.pl --exclude=index.html "`basename \"$MIRROR_ORIG_DIR\"`" "`basename \"$MIRROR_DIR\"`" | grep -v "^Binary files"
;;
stop )
/etc/init.d/ssh stop

View file

@ -89,6 +89,21 @@ Lang {
Title = Konfiguration gefunden
Text = Die CryptoBox wurde bereits eingerichtet. Bei einer erneuten Initialisierung werden alle Daten gelöscht!
}
InvalidLanguage {
Title = Ungültige Sprache
Text = Die ausgewählte Sprache ist nicht verfügbar!
}
InvalidIP {
Title = Ungültige IP
Text = Die ausgewählte Netzwerkadresse ist nicht gültig!
}
InvalidTimeOut {
Title = Ungültige Zeitabschaltung
Text = Der ausgewählte Wert der Zeitabschaltung ist nicht gültig!
}
}

View file

@ -201,6 +201,38 @@ sub system_reboot()
}
sub validate_ip()
{
my $ip = shift;
my @octets = split /\./, $ip;
return 0 if ($#octets == 4);
# check for values and non-digits
return 0 if ((@octets[0] <= 0) || (@octets[0] >= 255) || (@octets[0] =~ /\D/));
return 0 if ((@octets[1] < 0) || (@octets[1] >= 255) || (@octets[1] =~ /\D/));
return 0 if ((@octets[2] < 0) || (@octets[2] >= 255) || (@octets[2] =~ /\D/));
return 0 if ((@octets[3] <= 0) || (@octets[3] >= 255) || (@octets[3] =~ /\D/));
return 1;
}
sub validate_timeout()
{
my $timeout = shift;
return 0 if ($timeout =~ /\D/);
return 1;
}
sub validate_language()
{
my $language = shift;
# check for non-alphanumeric character
return 0 if ($language = ~/\W/);
return 0 if ( ! -e "$LANGUAGE_DIR/$language" . '.hdf');
return 1;
}
################### main #########################
my $query = new CGI;
@ -336,18 +368,15 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Action', 'config_form');
}
#################### set_lang ########################
# this action is called by the language links in the upper left of the web interface
} elsif ($action eq 'set_lang') {
# TODO: check for invalid file names (containing "../../.." and so on)
# TODO: ugly problem: can't save the setting, as long as the box is unconfigured
my $language = $query->param('language');
my $lang_file = "$LANGUAGE_DIR/$language" . ".hdf";
if (-e "$lang_file") {
if (&validate_language($language)) {
system("$CB_SCRIPT", "set_config", "language", "$language");
&load_language_data($pagedata, $language);
} else {
# warning for user is not necessary, as this wrong value
# has surely been injected
warn ("Could not find language file ($lang_file)!");
$pagedata->setValue('Data.Warning', 'InvalidLanguage');
}
$pagedata->setValue('Data.Action', 'intro');
#################### config_do #######################
@ -356,13 +385,23 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Warning', 'NotConfigured');
$pagedata->setValue('Data.Action', 'init_form');
} else {
# TODO: parse for valid values
system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
# TODO: check for success by comparing with new config and report success
$pagedata->setValue('Data.Success', 'ConfigSaved');
$pagedata->setValue('Data.Action', 'intro');
if ( ! &validate_language()) {
$pagedata->setValue('Data.Warning', 'InvalidLanguage');
$pagedata->setValue('Data.Action', 'config_ask');
} elsif ( ! &validate_ip()) {
$pagedata->setValue('Data.Warning', 'InvalidIP');
$pagedata->setValue('Data.Action', 'config_ask');
} elsif ( ! &validate_timeout()) {
$pagedata->setValue('Data.Warning', 'InvalidTimeOut');
$pagedata->setValue('Data.Action', 'config_ask');
} else {
system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
# TODO: check for success by comparing with new config and report success
$pagedata->setValue('Data.Success', 'ConfigSaved');
$pagedata->setValue('Data.Action', 'intro');
}
}
#################### show_log ########################
} elsif ($action eq 'show_log') {
@ -381,7 +420,7 @@ if ( ! &check_ssl()) {
$pagedata->setValue('Data.Action', 'shutdown_form');
##################### reboot ######################
} elsif ($action eq 'shutdown_do') {
if ($type eq 'reboot') {
if ($query->param('type') eq 'reboot') {
&system_reboot();
$pagedata->setValue('Data.Success', 'ReBoot');
} else {