aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata/suricata_suppress.php
diff options
context:
space:
mode:
authorbmeeks8 <bmeeks8@bellsouth.net>2014-09-07 17:56:35 -0400
committerbmeeks8 <bmeeks8@bellsouth.net>2014-09-07 17:56:35 -0400
commite1be647aab970954f0c1312d3579c1e312add9ba (patch)
treee0fb3a33ce1a67617f689461eb47219d533f1f0d /config/suricata/suricata_suppress.php
parent98d54bcb91d1d9775c28f566655d49b4d9962bb1 (diff)
downloadpfsense-packages-e1be647aab970954f0c1312d3579c1e312add9ba.tar.gz
pfsense-packages-e1be647aab970954f0c1312d3579c1e312add9ba.tar.bz2
pfsense-packages-e1be647aab970954f0c1312d3579c1e312add9ba.zip
Use $_POST instead of $_GET for DEL action to improve security.
Diffstat (limited to 'config/suricata/suricata_suppress.php')
-rw-r--r--config/suricata/suricata_suppress.php18
1 files changed, 9 insertions, 9 deletions
diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php
index 2fd2deeb..80249724 100644
--- a/config/suricata/suricata_suppress.php
+++ b/config/suricata/suricata_suppress.php
@@ -94,15 +94,16 @@ function suricata_find_suppresslist_interface($supplist) {
return false;
}
-if ($_GET['act'] == "del") {
- if ($a_suppress[$_GET['id']]) {
+if ($_POST['del'] && is_numericint($_POST['list_id'])) {
+ if ($a_suppress[$_POST['list_id']]) {
// make sure list is not being referenced by any Suricata-configured interface
- if (suricata_suppresslist_used($a_suppress[$_GET['id']]['name'])) {
+ if (suricata_suppresslist_used($a_suppress[$_POST['list_id']]['name'])) {
$input_errors[] = gettext("ERROR -- Suppress List is currently assigned to an interface and cannot be removed!");
}
else {
- unset($a_suppress[$_GET['id']]);
- write_config();
+ unset($a_suppress[$_POST['list_id']]);
+ write_config("Suricata pkg: deleted SUPPRESS LIST.");
+ sync_suricata_package_config();
header("Location: /suricata/suricata_suppress.php");
exit;
}
@@ -126,6 +127,7 @@ if ($input_errors) {
?>
<form action="/suricata/suricata_suppress.php" method="post"><?php if ($savemsg) print_info_box($savemsg); ?>
+<input type="hidden" name="list_id" id="list_id" value=""/>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr><td>
@@ -189,10 +191,8 @@ if ($input_errors) {
width="17" height="17" border="0" title="<?php echo gettext("Goto first instance associated with this Suppress List");?>"/></a>
</td>
<?php else : ?>
- <td><a href="/suricata/suricata_suppress.php?act=del&id=<?=$i;?>"
- onclick="return confirm('<?php echo gettext("Do you really want to delete this Suppress List?"); ?>')"><img
- src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif"
- width="17" height="17" border="0" title="<?php echo gettext("delete Suppress List"); ?>"></a></td>
+ <td><input type="image" name="del[]" onclick="document.getElementById('list_id').value='<?=$i;?>';return confirm('<?=gettext("Do you really want to delete this Suppress List?");?>');"
+ src="/themes/<?=$g['theme'];?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("delete Suppress List");?>"/></td>
<td>&nbsp;</td>
<?php endif; ?>
</tr>