aboutsummaryrefslogtreecommitdiffstats
path: root/config/squid3/34
diff options
context:
space:
mode:
authordoktornotor <notordoktor@gmail.com>2015-11-18 02:56:53 +0100
committerdoktornotor <notordoktor@gmail.com>2015-11-18 02:56:53 +0100
commit30d1dcee45dfc68d63ae954485642ff306fb4ac2 (patch)
treec8fa9e6485e2d189b44696d8a5d1ec7d4faef913 /config/squid3/34
parent0251c7a9d9a32aa52948689c9ce9fd747e5c66fa (diff)
downloadpfsense-packages-30d1dcee45dfc68d63ae954485642ff306fb4ac2.tar.gz
pfsense-packages-30d1dcee45dfc68d63ae954485642ff306fb4ac2.tar.bz2
pfsense-packages-30d1dcee45dfc68d63ae954485642ff306fb4ac2.zip
Squid3 - do not add invalid subnets for 'Allow Users on Interface' to ACL (Bug #4331, Bug #4526)
Diffstat (limited to 'config/squid3/34')
-rwxr-xr-xconfig/squid3/34/squid.inc22
1 files changed, 14 insertions, 8 deletions
diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc
index aee85bcd..b7eb9889 100755
--- a/config/squid3/34/squid.inc
+++ b/config/squid3/34/squid.inc
@@ -41,12 +41,6 @@ require_once('service-utils.inc');
if (!function_exists("filter_configure")) {
require_once("filter.inc");
}
-/* Squid reverse proxy */
-require_once('/usr/local/pkg/squid_reverse.inc');
-/* Squid javascript helpers */
-require_once('/usr/local/pkg/squid_js.inc');
-/* Squid antivirus intergration features helpers */
-require_once('/usr/local/pkg/squid_antivirus.inc');
$shortcut_section = "squid";
@@ -77,6 +71,13 @@ if ($uname['machine'] == 'amd64') {
ini_set('memory_limit', '250M');
}
+/* Squid reverse proxy */
+require_once('/usr/local/pkg/squid_reverse.inc');
+/* Squid javascript helpers */
+require_once('/usr/local/pkg/squid_js.inc');
+/* Squid antivirus intergration features helpers */
+require_once('/usr/local/pkg/squid_antivirus.inc');
+
/*
* Utility functions
*/
@@ -1222,9 +1223,14 @@ EOD;
foreach ($real_ifaces as $iface) {
list($ip, $mask) = $iface;
$ip = long2ip(ip2long($ip) & ip2long($mask));
- $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2);
+ $mask = 32 - log((ip2long($mask) ^ ip2long('255.255.255.255')) +1, 2);
if (!preg_match("@$ip/$mask@", $src)) {
- $src .= " $ip/$mask";
+ // XXX: Do not add invalid subnets (Bug #4331, Bug #4526)
+ if (is_subnet("{$ip}/{$mask}")) {
+ $src .= " $ip/$mask";
+ } else {
+ log_error("[squid] 'Allow Users on Interface' ACL skipped for '{$ip}/{$mask}' since it is not a valid subnet.");
+ }
}
}
$conf .= "# Allow local network(s) on interface(s)\n";