From ad6e7cb89edbb0849eda4516cb0976fb877bc397 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@pfsense.org>
Date: Mon, 17 Feb 2014 16:09:43 -0500
Subject: Input validation for arping and escaping. Fixes #3462

---
 config/arping/arping.inc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'config')

diff --git a/config/arping/arping.inc b/config/arping/arping.inc
index be21a790..0054adf0 100644
--- a/config/arping/arping.inc
+++ b/config/arping/arping.inc
@@ -35,7 +35,11 @@ function arping_package_reinstall() {
 }
 
 function arping_package_php_command() {
-	system("arping -c3 " . $_POST['hostip']);
+	require_once("util.inc");
+	if (is_ipaddr($_POST['hostip']) || is_hostname($_POST['hostip']) || is_macaddr($_POST['hostip']))
+		system("arping -c3 " . escapeshellarg($_POST['hostip']));
+	else
+		echo "Invalid input. Supplied address must be a valid IP or MAC address.";
 	exit;
 }
 
-- 
cgit v1.2.3