diff options
author | Renato Botelho <garga@FreeBSD.org> | 2014-06-19 17:01:59 -0300 |
---|---|---|
committer | Renato Botelho <garga@FreeBSD.org> | 2014-06-19 17:01:59 -0300 |
commit | 35b75b9b94a3f63c358c34fe98ee5ad7f7004a62 (patch) | |
tree | 43a9ae97c4bef12750350895177ed76674650abf | |
parent | 6048cbcf1b2e2029250f9eb5fe166627c89398fd (diff) | |
download | pfsense-packages-35b75b9b94a3f63c358c34fe98ee5ad7f7004a62.tar.gz pfsense-packages-35b75b9b94a3f63c358c34fe98ee5ad7f7004a62.tar.bz2 pfsense-packages-35b75b9b94a3f63c358c34fe98ee5ad7f7004a62.zip |
Replicate last snort changes from 6048cbcf1 to suricata
-rw-r--r-- | config/suricata/suricata_rules_flowbits.php | 2 | ||||
-rw-r--r-- | config/suricata/suricata_select_alias.php | 18 |
2 files changed, 11 insertions, 9 deletions
diff --git a/config/suricata/suricata_rules_flowbits.php b/config/suricata/suricata_rules_flowbits.php index c5193a8b..f266875c 100644 --- a/config/suricata/suricata_rules_flowbits.php +++ b/config/suricata/suricata_rules_flowbits.php @@ -65,7 +65,7 @@ if (is_null($id)) { // Set who called us so we can return to the correct page with // the RETURN ('cancel') button. -if ($_POST['referrer']) +if ($_POST['referrer'] && substr($_POST['referrer'], 0, 1) == '/') $referrer = $_POST['referrer']; else $referrer = $_SERVER['HTTP_REFERER']; diff --git a/config/suricata/suricata_select_alias.php b/config/suricata/suricata_select_alias.php index 527412d1..c11802c2 100644 --- a/config/suricata/suricata_select_alias.php +++ b/config/suricata/suricata_select_alias.php @@ -47,29 +47,31 @@ else // Retrieve any passed QUERY STRING or POST variables if (isset($_POST['type'])) - $type = $_POST['type']; + $type = htmlspecialchars($_POST['type']); elseif (isset($_GET['type'])) $type = htmlspecialchars($_GET['type']); if (isset($_POST['varname'])) - $varname = $_POST['varname']; + $varname = htmlspecialchars($_POST['varname']); elseif (isset($_GET['varname'])) $varname = htmlspecialchars($_GET['varname']); if (isset($_POST['multi_ip'])) - $multi_ip = $_POST['multi_ip']; + $multi_ip = htmlspecialchars($_POST['multi_ip']); elseif (isset($_GET['multi_ip'])) $multi_ip = htmlspecialchars($_GET['multi_ip']); -if (isset($_POST['returl'])) +if (isset($_POST['returl']) && substr($_POST['returl'], 0, 1) == '/') $referrer = urldecode($_POST['returl']); -elseif (isset($_GET['returl'])) +elseif (isset($_GET['returl']) && substr($_GET['returl'], 0, 1) == '/') $referrer = urldecode($_GET['returl']); +else + $referrer = $_SERVER['HTTP_REFERER']; // Make sure we have a valid VARIABLE name // and ALIAS TYPE, or else bail out. if (is_null($type) || is_null($varname)) { - header("Location: http://{$referrer}?{$querystr}"); + header("Location: {$referrer}?{$querystr}"); exit; } @@ -132,8 +134,8 @@ include("head.inc"); <input type="hidden" name="varname" value="<?=$varname;?>"/> <input type="hidden" name="type" value="<?=$type;?>"/> <input type="hidden" name="multi_ip" value="<?=$multi_ip;?>"/> -<input type="hidden" name="returl" value="<?=$referrer;?>"/> -<input type="hidden" name="org_querystr" value="<?=$querystr;?>"/> +<input type="hidden" name="returl" value="<?=htmlspecialchars($referrer);?>"/> +<input type="hidden" name="org_querystr" value="<?=htmlspecialchars($querystr);?>"/> <?php if ($input_errors) print_input_errors($input_errors); ?> <div id="boxarea"> <table width="100%" border="0" cellpadding="0" cellspacing="0"> |