frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2025-03-01 10:31:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Escape client input, console output etc. before doing any echo.

Browse Source 
Signed-off-by: D9ping <D9ping@users.noreply.github.com>
This commit is contained in:
D9ping
2018-08-04 01:58:34 +02:00
parent 6be3680f8f
commit 2b03fa316d
12 changed files with 221 additions and 201 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
includes/dhcp.php
View File

@@ -14,7 +14,7 @@ function DisplayDHCPConfig() {
if (CSRFValidate()) {
$config = 'interface='.$_POST['interface'].PHP_EOL
.'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].',255.255.255.0,'.$_POST['RangeLeaseTime'].''.$_POST['RangeLeaseTimeUnits'];
exec( 'echo "'.$config.'" > /tmp/dhcpddata',$temp );
exec( 'echo "'.$config.'" > /tmp/dhcpddata',$temp);
system( 'sudo cp /tmp/dhcpddata '. RASPI_DNSMASQ_CONFIG, $return );
if( $return == 0 ) {
@@ -83,14 +83,14 @@ function DisplayDHCPConfig() {
$dselected = '';
switch( $arrRangeLeaseTime[2] ) {
case "h":
$hselected = " selected";
case 'h':
$hselected = ' selected="selected"';
break;
case "m":
$mselected = " selected";
case 'm':
$mselected = ' selected="selected"';
break;
case "d":
$dselected = " selected";
case 'd':
$dselected = ' selected="selected"';
break;
}
@@ -119,42 +119,49 @@ function DisplayDHCPConfig() {
<div class="form-group col-md-4">
<label for="code">Interface</label>
<select class="form-control" name="interface">
<?php
<?php
exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces);
foreach( $interfaces as $int ) {
foreach( $interfaces as $inet ) {
$select = '';
if( $int == $conf['interface'] ) {
$select = " selected";
if( $inet === $conf['interface'] ) {
$select = ' selected="selected"'; // FIXED use xhtml valid attribute
}
echo '<option value="'.$int.'"'.$select.'>'.$int.'</option>';
}
?>
echo ' <option value="'.htmlspecialchars($inet, ENT_QUOTES).'"'.
$select.'>'.htmlspecialchars($inet, ENT_QUOTES).'</option>' , PHP_EOL;
}
?>
</select>
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code"><?php echo _("Starting IP Address"); ?></label>
<input type="text" class="form-control"name="RangeStart" value="<?php echo $RangeStart; ?>" />
<input type="text" class="form-control"name="RangeStart" value="<?php echo htmlspecialchars($RangeStart, ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-md-4">
<label for="code"><?php echo _("Ending IP Address"); ?></label>
<input type="text" class="form-control" name="RangeEnd" value="<?php echo $RangeEnd; ?>" />
<input type="text" class="form-control" name="RangeEnd" value="<?php echo htmlspecialchars($RangeEnd, ENT_QUOTES); ?>" />
</div>
</div>
<div class="row">
<div class="form-group col-xs-2 col-sm-2">
<label for="code"><?php echo _("Lease Time"); ?></label>
<input type="text" class="form-control" name="RangeLeaseTime" value="<?php echo $arrRangeLeaseTime[1]; ?>" />
<input type="text" class="form-control" name="RangeLeaseTime" value="<?php echo htmlspecialchars($arrRangeLeaseTime[1], ENT_QUOTES); ?>" />
</div>
<div class="col-xs-2 col-sm-2">
<label for="code"><?php echo _("Interval"); ?></label>
<select name="RangeLeaseTimeUnits" class="form-control" ><option value="m" <?php echo $mselected; ?>>Minute(s)</option><option value="h" <?php echo $hselected; ?>>Hour(s)</option><option value="d" <?php echo $dselected; ?>>Day(s)</option><option value="infinite">Infinite</option></select>
<select name="RangeLeaseTimeUnits" class="form-control" >
<option value="m" <?php echo $mselected; ?>>Minute(s)</option>
<option value="h" <?php echo $hselected; ?>>Hour(s)</option>
<option value="d" <?php echo $dselected; ?>>Day(s)</option>
<option value="infinite">Infinite</option>
</select>
</div>
</div>
@@ -166,7 +173,7 @@ function DisplayDHCPConfig() {
} else {
echo'<input type="submit" class="btn btn-success" value="' . _("Start dnsmasq") . '" name="startdhcpd" />';
}
?>
?>
</form>
</div><!-- /.tab-pane -->
@@ -190,16 +197,18 @@ function DisplayDHCPConfig() {
</thead>
<tbody>
<tr>
<?php
exec( 'cat ' . RASPI_DNSMASQ_LEASES, $leases );
foreach( $leases as $lease ) {
$lease_items = explode(' ', $lease);
foreach( $lease_items as $lease_item ) {
echo '<td>' . $lease_item . '</td>';
}
echo '</tr>';
};
?>
<?php
exec( 'cat ' . RASPI_DNSMASQ_LEASES, $leases );
foreach( $leases as $lease ) {
$lease_items = explode(' ', $lease);
foreach( $lease_items as $lease_item ) {
echo ' <td>'.htmlspecialchars($lease_item, ENT_QUOTES).'</td>'.PHP_EOL;
}
echo ' </tr>'.PHP_EOL;
};
?>
</tr>
</tbody>
</table>
@@ -210,12 +219,10 @@ function DisplayDHCPConfig() {
</div><!-- /.tab-pane -->
</div><!-- /.tab-content -->
</div><!-- ./ Panel body -->
<div class="panel-footer"> <?php echo _("Information provided by Dnsmasq");?></div>
<div class="panel-footer"> <?php echo _("Information provided by Dnsmasq"); ?></div>
</div><!-- /.panel-primary -->
</div><!-- /.col-lg-12 -->
</div><!-- /.row -->
<?php
}
?>