From 43d9fe3901e595bf902a93ab40987144ba70a9f8 Mon Sep 17 00:00:00 2001
From: "D. V. Serg" <dvserg@pfsense.org>
Date: Sun, 5 Oct 2008 13:41:20 +0000
Subject: Fixed Destinations URL validation bug

---
 packages/squidGuard/sgerror.php                 | 56 ++++++++++++++++++++++---
 packages/squidGuard/squidguard_configurator.inc | 18 ++++++--
 2 files changed, 64 insertions(+), 10 deletions(-)

diff --git a/packages/squidGuard/sgerror.php b/packages/squidGuard/sgerror.php
index 7e3b5c6c..8084c5c3 100644
--- a/packages/squidGuard/sgerror.php
+++ b/packages/squidGuard/sgerror.php
@@ -140,16 +140,24 @@ if ($url) {
     }
 
     # blank page
-    if ($url === 'blank') {
+    if ($url === TAG_BLANK) {
             echo get_page('');
     }
     # blank image
     elseif ($url === TAG_BLANK_IMG) {
-            # --------------------------------------------------------------
-            # return blank image
-            # --------------------------------------------------------------
-            header("Content-Type: image/gif;"); //  charset=windows-1251");
-            echo GIF_BODY;
+           $msg = trim($msg);
+           if(strpos($msg, "maxlen_") !== false) {
+              $maxlen = intval(trim(str_replace("maxlen_", "", $url)));
+              filter_by_image_size($cl['u'], $maxlen);
+              exit();
+           }
+           else {
+              # --------------------------------------------------------------
+              # return blank image
+              # --------------------------------------------------------------
+              header("Content-Type: image/gif;"); //  charset=windows-1251");
+              echo GIF_BODY;
+           }
     }
     # error code
     elseif ($err_id !== 0) {
@@ -237,4 +245,40 @@ function get_about() {
 
         return implode("\n", $str);
 }
+
+function filter_by_image_size($url, $val_size) {
+
+          # load url header
+          $ch = curl_init();
+          curl_setopt($ch, CURLOPT_URL, $url);
+          curl_setopt($ch, CURLOPT_HEADER, 1);
+          curl_setopt($ch, CURLOPT_NOBODY, 1);
+          curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
+          $hd = curl_exec($ch);
+          curl_close($ch);
+
+         $size = 0;
+         $SKEY = "content-length:";
+         $s_tmp = strtolower($hd);
+         $s_tmp = str_replace("\n", " ", $s_tmp); # replace all "\n"
+         if (strpos($s_tmp, $SKEY) !== false) {
+             $s_tmp = trim(substr($s_tmp, strpos($s_tmp, $SKEY) + strlen($SKEY)));
+             $s_tmp = trim(substr($s_tmp, 0, strpos($s_tmp, " ")));
+             if (is_numeric($s_tmp))
+                  $size = intval($s_tmp);
+             else $size = 0;
+         }
+
+         # === check url type and content size ===
+         # redirect to specified url
+         if (($size !== 0) && ($size < $val_size)) {
+              header("HTTP/1.0");
+              header("Location: $url", '', 302);
+         }
+         # return blank image
+         else {
+              header("Content-Type: image/gif;");
+              echo GIF_BODY;
+         }
+}
 ?>
\ No newline at end of file
diff --git a/packages/squidGuard/squidguard_configurator.inc b/packages/squidGuard/squidguard_configurator.inc
index 754cbc32..b359fa0a 100644
--- a/packages/squidGuard/squidguard_configurator.inc
+++ b/packages/squidGuard/squidguard_configurator.inc
@@ -1069,8 +1069,8 @@ function sg_redirector_base_url($rdr_info, $redirect_mode)
         case RMOD_EXT_RDR:         $rdr_path = "$rdr_info"; break;
         case RMOD_EXT_MOVED:       $rdr_path = "301:$rdr_info"; break;
         case RMOD_EXT_FOUND:       $rdr_path = "302:$rdr_info"; break;
-        case RMOD_INT_BLANKPAGE:   $rdr_path .= "?url=blank"; break;
-        case RMOD_INT_BLANKIMG:    $rdr_path .= "?url=blank_img"; break;
+        case RMOD_INT_BLANKPAGE:   $rdr_path .= "?url=blank&msg=" . rawurlencode($rdr_info) . REDIRECT_URL_ARGS; break;
+        case RMOD_INT_BLANKIMG:    $rdr_path .= "?url=blank_img&msg=" . rawurlencode($rdr_info) . REDIRECT_URL_ARGS; break;
         case RMOD_INT_SIZELIMIT:   $rdr_path .= "?url=maxlen_$rdr_info" . REDIRECT_URL_ARGS; break;
         case RMOD_INT_ERRORPAGE:
         default:                   $rdr_path .= "?url=" . rawurlencode("403 $rdr_info") . REDIRECT_URL_ARGS; break;
@@ -1746,6 +1746,16 @@ function is_url($url)
     if (eregi("^((30[1235]{1})|(40[0-9]{1})|(41[0-7]{1})|(50[0-5]{1}))", $url)) return true; # http error code 30x, 4xx, 50x.
     return false;
 }
+
+# url as 'domain/path': 'mydomain.com/index.php'
+function is_dest_url($url)
+{
+    $fmt  = "[a-zA-Z0-9_-]";
+
+    if (empty($url)) return false;
+    if (eregi("^(($fmt){1,}\.){1,}($fmt){2,}(/(.[^\*][^ ])*)", $url)) return true;
+    return false;
+}
 # ------------------------------------------------------------------------------
 # is_masksubnet - check ip/mask
 # ------------------------------------------------------------------------------
@@ -1890,7 +1900,7 @@ function sg_check_dest($sgx, $input_errors)
 
     # url
     foreach ($ur as $u_it)
-        if ($u_it && !is_url($u_it)) $elog[] = "Item '$u_it' is not a url";
+        if ($u_it && !is_dest_url($u_it)) $elog[] = "Item '$u_it' is not a url.";
 
     # check redirect
     sg_check_redirect($sgx[FLD_RMOD], $sgx[FLD_REDIRECT], &$elog);
@@ -2089,4 +2099,4 @@ class TSgTag
     }
 }
 
-?>
\ No newline at end of file
+?>
-- 
cgit v1.2.3