input validation for configuration web interface
This commit is contained in:
parent
9076334829
commit
e1dd6180a2
3 changed files with 71 additions and 15 deletions
|
@ -47,7 +47,9 @@ case "$ACTION" in
|
|||
cd "`dirname \"$MIRROR_ORIG_DIR\"`"
|
||||
# diff and remove "binary files differ"-warnings (vi-swap-files)
|
||||
# ignore generated reports
|
||||
diff -ruN --exclude=report "`basename \"$MIRROR_ORIG_DIR\"`" "`basename \"$MIRROR_DIR\"`" | grep -v "^Binary files"
|
||||
# ignore cryptobox.pl and index.html, as those are the same as
|
||||
# /var/www/cryptobox (symbilic links)
|
||||
diff -ruN --exclude=report --exclude=cryptobox.pl --exclude=index.html "`basename \"$MIRROR_ORIG_DIR\"`" "`basename \"$MIRROR_DIR\"`" | grep -v "^Binary files"
|
||||
;;
|
||||
stop )
|
||||
/etc/init.d/ssh stop
|
||||
|
|
|
@ -89,6 +89,21 @@ Lang {
|
|||
Title = Konfiguration gefunden
|
||||
Text = Die CryptoBox wurde bereits eingerichtet. Bei einer erneuten Initialisierung werden alle Daten gelöscht!
|
||||
}
|
||||
|
||||
InvalidLanguage {
|
||||
Title = Ungültige Sprache
|
||||
Text = Die ausgewählte Sprache ist nicht verfügbar!
|
||||
}
|
||||
|
||||
InvalidIP {
|
||||
Title = Ungültige IP
|
||||
Text = Die ausgewählte Netzwerkadresse ist nicht gültig!
|
||||
}
|
||||
|
||||
InvalidTimeOut {
|
||||
Title = Ungültige Zeitabschaltung
|
||||
Text = Der ausgewählte Wert der Zeitabschaltung ist nicht gültig!
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -201,6 +201,38 @@ sub system_reboot()
|
|||
}
|
||||
|
||||
|
||||
sub validate_ip()
|
||||
{
|
||||
my $ip = shift;
|
||||
my @octets = split /\./, $ip;
|
||||
return 0 if ($#octets == 4);
|
||||
# check for values and non-digits
|
||||
return 0 if ((@octets[0] <= 0) || (@octets[0] >= 255) || (@octets[0] =~ /\D/));
|
||||
return 0 if ((@octets[1] < 0) || (@octets[1] >= 255) || (@octets[1] =~ /\D/));
|
||||
return 0 if ((@octets[2] < 0) || (@octets[2] >= 255) || (@octets[2] =~ /\D/));
|
||||
return 0 if ((@octets[3] <= 0) || (@octets[3] >= 255) || (@octets[3] =~ /\D/));
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
sub validate_timeout()
|
||||
{
|
||||
my $timeout = shift;
|
||||
return 0 if ($timeout =~ /\D/);
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
sub validate_language()
|
||||
{
|
||||
my $language = shift;
|
||||
# check for non-alphanumeric character
|
||||
return 0 if ($language = ~/\W/);
|
||||
return 0 if ( ! -e "$LANGUAGE_DIR/$language" . '.hdf');
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
################### main #########################
|
||||
|
||||
my $query = new CGI;
|
||||
|
@ -336,18 +368,15 @@ if ( ! &check_ssl()) {
|
|||
$pagedata->setValue('Data.Action', 'config_form');
|
||||
}
|
||||
#################### set_lang ########################
|
||||
# this action is called by the language links in the upper left of the web interface
|
||||
} elsif ($action eq 'set_lang') {
|
||||
# TODO: check for invalid file names (containing "../../.." and so on)
|
||||
# TODO: ugly problem: can't save the setting, as long as the box is unconfigured
|
||||
my $language = $query->param('language');
|
||||
my $lang_file = "$LANGUAGE_DIR/$language" . ".hdf";
|
||||
if (-e "$lang_file") {
|
||||
if (&validate_language($language)) {
|
||||
system("$CB_SCRIPT", "set_config", "language", "$language");
|
||||
&load_language_data($pagedata, $language);
|
||||
} else {
|
||||
# warning for user is not necessary, as this wrong value
|
||||
# has surely been injected
|
||||
warn ("Could not find language file ($lang_file)!");
|
||||
$pagedata->setValue('Data.Warning', 'InvalidLanguage');
|
||||
}
|
||||
$pagedata->setValue('Data.Action', 'intro');
|
||||
#################### config_do #######################
|
||||
|
@ -356,13 +385,23 @@ if ( ! &check_ssl()) {
|
|||
$pagedata->setValue('Data.Warning', 'NotConfigured');
|
||||
$pagedata->setValue('Data.Action', 'init_form');
|
||||
} else {
|
||||
# TODO: parse for valid values
|
||||
system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
|
||||
system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
|
||||
system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
|
||||
# TODO: check for success by comparing with new config and report success
|
||||
$pagedata->setValue('Data.Success', 'ConfigSaved');
|
||||
$pagedata->setValue('Data.Action', 'intro');
|
||||
if ( ! &validate_language()) {
|
||||
$pagedata->setValue('Data.Warning', 'InvalidLanguage');
|
||||
$pagedata->setValue('Data.Action', 'config_ask');
|
||||
} elsif ( ! &validate_ip()) {
|
||||
$pagedata->setValue('Data.Warning', 'InvalidIP');
|
||||
$pagedata->setValue('Data.Action', 'config_ask');
|
||||
} elsif ( ! &validate_timeout()) {
|
||||
$pagedata->setValue('Data.Warning', 'InvalidTimeOut');
|
||||
$pagedata->setValue('Data.Action', 'config_ask');
|
||||
} else {
|
||||
system("$CB_SCRIPT", "set_config", "language", $query->param('language'));
|
||||
system("$CB_SCRIPT", "set_config", "timeout", $query->param('timeout'));
|
||||
system("$CB_SCRIPT", "set_config", "ip", $query->param('ip'));
|
||||
# TODO: check for success by comparing with new config and report success
|
||||
$pagedata->setValue('Data.Success', 'ConfigSaved');
|
||||
$pagedata->setValue('Data.Action', 'intro');
|
||||
}
|
||||
}
|
||||
#################### show_log ########################
|
||||
} elsif ($action eq 'show_log') {
|
||||
|
@ -381,7 +420,7 @@ if ( ! &check_ssl()) {
|
|||
$pagedata->setValue('Data.Action', 'shutdown_form');
|
||||
##################### reboot ######################
|
||||
} elsif ($action eq 'shutdown_do') {
|
||||
if ($type eq 'reboot') {
|
||||
if ($query->param('type') eq 'reboot') {
|
||||
&system_reboot();
|
||||
$pagedata->setValue('Data.Success', 'ReBoot');
|
||||
} else {
|
||||
|
|
Loading…
Reference in a new issue