diff options
author | doktornotor <notordoktor@gmail.com> | 2015-11-18 02:56:53 +0100 |
---|---|---|
committer | doktornotor <notordoktor@gmail.com> | 2015-11-18 02:56:53 +0100 |
commit | 30d1dcee45dfc68d63ae954485642ff306fb4ac2 (patch) | |
tree | c8fa9e6485e2d189b44696d8a5d1ec7d4faef913 | |
parent | 0251c7a9d9a32aa52948689c9ce9fd747e5c66fa (diff) | |
download | pfsense-packages-30d1dcee45dfc68d63ae954485642ff306fb4ac2.tar.gz pfsense-packages-30d1dcee45dfc68d63ae954485642ff306fb4ac2.tar.bz2 pfsense-packages-30d1dcee45dfc68d63ae954485642ff306fb4ac2.zip |
Squid3 - do not add invalid subnets for 'Allow Users on Interface' to ACL (Bug #4331, Bug #4526)
-rwxr-xr-x | config/squid3/34/squid.inc | 22 |
1 files changed, 14 insertions, 8 deletions
diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index aee85bcd..b7eb9889 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -41,12 +41,6 @@ require_once('service-utils.inc'); if (!function_exists("filter_configure")) { require_once("filter.inc"); } -/* Squid reverse proxy */ -require_once('/usr/local/pkg/squid_reverse.inc'); -/* Squid javascript helpers */ -require_once('/usr/local/pkg/squid_js.inc'); -/* Squid antivirus intergration features helpers */ -require_once('/usr/local/pkg/squid_antivirus.inc'); $shortcut_section = "squid"; @@ -77,6 +71,13 @@ if ($uname['machine'] == 'amd64') { ini_set('memory_limit', '250M'); } +/* Squid reverse proxy */ +require_once('/usr/local/pkg/squid_reverse.inc'); +/* Squid javascript helpers */ +require_once('/usr/local/pkg/squid_js.inc'); +/* Squid antivirus intergration features helpers */ +require_once('/usr/local/pkg/squid_antivirus.inc'); + /* * Utility functions */ @@ -1222,9 +1223,14 @@ EOD; foreach ($real_ifaces as $iface) { list($ip, $mask) = $iface; $ip = long2ip(ip2long($ip) & ip2long($mask)); - $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); + $mask = 32 - log((ip2long($mask) ^ ip2long('255.255.255.255')) +1, 2); if (!preg_match("@$ip/$mask@", $src)) { - $src .= " $ip/$mask"; + // XXX: Do not add invalid subnets (Bug #4331, Bug #4526) + if (is_subnet("{$ip}/{$mask}")) { + $src .= " $ip/$mask"; + } else { + log_error("[squid] 'Allow Users on Interface' ACL skipped for '{$ip}/{$mask}' since it is not a valid subnet."); + } } } $conf .= "# Allow local network(s) on interface(s)\n"; |