1
0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00

Merge pull request #220 from D9ping/Branch_D9ping

Multiple security fixes
This commit is contained in:
Bill Zimmerman 2018-08-06 16:39:28 +02:00 committed by GitHub
commit 833690a1b8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 263 additions and 210 deletions

View File

@ -5,7 +5,7 @@ include_once('../../includes/functions.php');
if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) { if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate()) {
$int = $_POST['interface']; $int = preg_replace('/[^a-z0-9]/', '', $_POST['interface']);
if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) { if(!file_exists(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini')) {
touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini'); touch(RASPI_CONFIG_NETWORKING.'/'.$int.'.ini');
} }
@ -21,4 +21,3 @@ if(isset($_POST['interface']) && isset($_POST['csrf_token']) && CSRFValidate())
echo json_encode($jsonData); echo json_encode($jsonData);
} }
?>

View File

@ -8,7 +8,7 @@ function DisplayAuthConfig($username, $password){
if (CSRFValidate()) { if (CSRFValidate()) {
if (password_verify($_POST['oldpass'], $password)) { if (password_verify($_POST['oldpass'], $password)) {
$new_username=trim($_POST['username']); $new_username=trim($_POST['username']);
if ($_POST['newpass'] != $_POST['newpassagain']) { if ($_POST['newpass'] !== $_POST['newpassagain']) {
$status->addMessage('New passwords do not match', 'danger'); $status->addMessage('New passwords do not match', 'danger');
} else if ($new_username == '') { } else if ($new_username == '') {
$status->addMessage('Username must not be empty', 'danger'); $status->addMessage('Username must not be empty', 'danger');
@ -17,6 +17,7 @@ function DisplayAuthConfig($username, $password){
$tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w'); $tmpauth = fopen(RASPI_ADMIN_DETAILS, 'w');
fclose($tmpauth); fclose($tmpauth);
} }
if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) { if ($auth_file = fopen(RASPI_ADMIN_DETAILS, 'w')) {
fwrite($auth_file, $new_username.PHP_EOL); fwrite($auth_file, $new_username.PHP_EOL);
fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL); fwrite($auth_file, password_hash($_POST['newpass'], PASSWORD_BCRYPT).PHP_EOL);
@ -46,7 +47,7 @@ function DisplayAuthConfig($username, $password){
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="username"><?php echo _("Username"); ?></label> <label for="username"><?php echo _("Username"); ?></label>
<input type="text" class="form-control" name="username" value="<?php echo $username; ?>"/> <input type="text" class="form-control" name="username" value="<?php echo htmlspecialchars($username, ENT_QUOTES); ?>"/>
</div> </div>
</div> </div>
<div class="row"> <div class="row">
@ -76,4 +77,3 @@ function DisplayAuthConfig($username, $password){
<?php <?php
} }
?>

View File

@ -10,4 +10,3 @@ if (!$validated) {
die ("Not authorized"); die ("Not authorized");
} }
?>

View File

@ -31,4 +31,3 @@ define('RASPI_CHANGETHEME_ENABLED', true );
define('LOCALE_ROOT', 'locale'); define('LOCALE_ROOT', 'locale');
define('LOCALE_DOMAIN', 'messages'); define('LOCALE_DOMAIN', 'messages');
?>

View File

@ -165,7 +165,7 @@ function DisplayWPAConfig(){
<p><?php $status->showMessages(); ?></p> <p><?php $status->showMessages(); ?></p>
<h4><?php echo _("Client settings"); ?></h4> <h4><?php echo _("Client settings"); ?></h4>
<div class="btn-group btn-block"> <div class="btn-group btn-block">
<a href=".?<?php echo $_SERVER['QUERY_STRING']; ?>" style="padding:10px;float: right;display: block;position: relative;margin-top: -55px;" class="col-md-2 btn btn-info" id="update"><?php echo _("Rescan"); ?></a> <a href=".?<?php echo htmlspecialchars($_SERVER['QUERY_STRING'], ENT_QUOTES); ?>" style="padding:10px;float: right;display: block;position: relative;margin-top: -55px;" class="col-md-2 btn btn-info" id="update"><?php echo _("Rescan"); ?></a>
</div> </div>
<form method="POST" action="?page=wpa_conf" name="wpa_conf_form"> <form method="POST" action="?page=wpa_conf" name="wpa_conf_form">
<?php CSRFToken() ?> <?php CSRFToken() ?>
@ -191,19 +191,19 @@ function DisplayWPAConfig(){
<?php } ?> <?php } ?>
</td> </td>
<td> <td>
<input type="hidden" name="ssid<?php echo $index ?>" value="<?php echo htmlentities($ssid) ?>" /> <input type="hidden" name="ssid<?php echo $index ?>" value="<?php echo htmlentities($ssid, ENT_QUOTES) ?>" />
<?php echo $ssid ?> <?php echo htmlspecialchars($ssid, ENT_QUOTES); ?>
</td> </td>
<?php if (array_key_exists('visible', $network) && $network['visible']) { ?> <?php if (array_key_exists('visible', $network) && $network['visible']) { ?>
<td><?php echo $network['channel'] ?></td> <td><?php echo htmlspecialchars($network['channel'], ENT_QUOTES); ?></td>
<?php } else { ?> <?php } else { ?>
<td><span class="label label-warning">X</span></td> <td><span class="label label-warning">X</span></td>
<?php } ?> <?php } ?>
<td> <td>
<?php if (array_key_exists('priority', $network)) { ?> <?php if (array_key_exists('priority', $network)) { ?>
<input type="hidden" name="priority<?php echo $index ?>" value="<?php echo $network['priority'] ?>" /> <input type="hidden" name="priority<?php echo $index ?>" value="<?php echo htmlspecialchars($network['priority'], ENT_QUOTES); ?>" />
<?php } ?> <?php } ?>
<input type="hidden" name="protocol<?php echo $index ?>" value="<?php echo $network['protocol'] ?>" /><?php echo $network['protocol'] ?> <input type="hidden" name="protocol<?php echo $index ?>" value="<?php echo htmlspecialchars($network['protocol'], ENT_QUOTES); ?>" /><?php echo htmlspecialchars($network['protocol'], ENT_QUOTES); ?>
</td> </td>
<?php if ($network['protocol'] === 'Open') { ?> <?php if ($network['protocol'] === 'Open') { ?>
<td><input type="hidden" name="passphrase<?php echo $index ?>" value="" />---</td> <td><input type="hidden" name="passphrase<?php echo $index ?>" value="" />---</td>
@ -233,4 +233,3 @@ function DisplayWPAConfig(){
<?php <?php
} }
?>

View File

@ -85,16 +85,16 @@ function DisplayDashboard(){
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-body"> <div class="panel-body">
<h4><?php echo _("Interface Information"); ?></h4> <h4><?php echo _("Interface Information"); ?></h4>
<div class="info-item"><?php echo _("Interface Name"); ?></div> <?php echo RASPI_WIFI_CLIENT_INTERFACE ?></br> <div class="info-item"><?php echo _("Interface Name"); ?></div> <?php echo RASPI_WIFI_CLIENT_INTERFACE; ?><br />
<div class="info-item"><?php echo _("IP Address"); ?></div> <?php echo $strIPAddress ?></br> <div class="info-item"><?php echo _("IP Address"); ?></div> <?php echo htmlspecialchars($strIPAddress, ENT_QUOTES); ?><br />
<div class="info-item"><?php echo _("Subnet Mask"); ?></div> <?php echo $strNetMask ?></br> <div class="info-item"><?php echo _("Subnet Mask"); ?></div> <?php echo htmlspecialchars($strNetMask, ENT_QUOTES); ?><br />
<div class="info-item"><?php echo _("Mac Address"); ?></div> <?php echo $strHWAddress ?></br></br> <div class="info-item"><?php echo _("Mac Address"); ?></div> <?php echo htmlspecialchars($strHWAddress, ENT_QUOTES); ?><br /><br />
<h4><?php echo _("Interface Statistics"); ?></h4> <h4><?php echo _("Interface Statistics"); ?></h4>
<div class="info-item"><?php echo _("Received Packets"); ?></div> <?php echo $strRxPackets ?></br> <div class="info-item"><?php echo _("Received Packets"); ?></div> <?php echo htmlspecialchars($strRxPackets, ENT_QUOTES); ?><br />
<div class="info-item"><?php echo _("Received Bytes"); ?></div> <?php echo $strRxBytes ?></br></br> <div class="info-item"><?php echo _("Received Bytes"); ?></div> <?php echo htmlspecialchars($strRxBytes, ENT_QUOTES); ?><br /><br />
<div class="info-item"><?php echo _("Transferred Packets"); ?></div> <?php echo $strTxPackets ?></br> <div class="info-item"><?php echo _("Transferred Packets"); ?></div> <?php echo htmlspecialchars($strTxPackets, ENT_QUOTES); ?><br />
<div class="info-item"><?php echo _("Transferred Bytes"); ?></div> <?php echo $strTxBytes ?></br> <div class="info-item"><?php echo _("Transferred Bytes"); ?></div> <?php echo htmlspecialchars($strTxBytes, ENT_QUOTES); ?><br />
</div><!-- /.panel-body --> </div><!-- /.panel-body -->
</div><!-- /.panel-default --> </div><!-- /.panel-default -->
</div><!-- /.col-md-6 --> </div><!-- /.col-md-6 -->
@ -102,18 +102,18 @@ function DisplayDashboard(){
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-body wireless"> <div class="panel-body wireless">
<h4><?php echo _("Wireless Information"); ?></h4> <h4><?php echo _("Wireless Information"); ?></h4>
<div class="info-item"><?php echo _("Connected To"); ?></div> <?php echo $strSSID ?></br> <div class="info-item"><?php echo _("Connected To"); ?></div> <?php echo htmlspecialchars($strSSID, ENT_QUOTES); ?><br />
<div class="info-item"><?php echo _("AP Mac Address"); ?></div> <?php echo $strBSSID ?></br> <div class="info-item"><?php echo _("AP Mac Address"); ?></div> <?php echo htmlspecialchars($strBSSID, ENT_QUOTES); ?><br />
<div class="info-item"><?php echo _("Bitrate"); ?></div> <?php echo $strBitrate ?></br> <div class="info-item"><?php echo _("Bitrate"); ?></div> <?php echo htmlspecialchars($strBitrate, ENT_QUOTES); ?><br />
<div class="info-item"><?php echo _("Signal Level"); ?></div> <?php echo $strSignalLevel ?></br> <div class="info-item"><?php echo _("Signal Level"); ?></div> <?php echo htmlspecialchars($strSignalLevel, ENT_QUOTES); ?><br />
<div class="info-item"><?php echo _("Transmit Power"); ?></div> <?php echo $strTxPower ?></br> <div class="info-item"><?php echo _("Transmit Power"); ?></div> <?php echo htmlspecialchars($strTxPower, ENT_QUOTES); ?><br />
<div class="info-item"><?php echo _("Frequency"); ?></div> <?php echo $strFrequency ?></br></br> <div class="info-item"><?php echo _("Frequency"); ?></div> <?php echo htmlspecialchars($strFrequency, ENT_QUOTES); ?><br /><br />
<div class="info-item"><?php echo _("Link Quality"); ?></div> <div class="info-item"><?php echo _("Link Quality"); ?></div>
<div class="progress"> <div class="progress">
<div class="progress-bar progress-bar-info progress-bar-striped active" <div class="progress-bar progress-bar-info progress-bar-striped active"
role="progressbar" role="progressbar"
aria-valuenow="<?php echo $strLinkQuality ?>" aria-valuemin="0" aria-valuemax="100" aria-valuenow="<?php echo htmlspecialchars($strLinkQuality, ENT_QUOTES); ?>" aria-valuemin="0" aria-valuemax="100"
style="width: <?php echo $strLinkQuality ?>%;"><?php echo $strLinkQuality ?>% style="width: <?php echo htmlspecialchars($strLinkQuality, ENT_QUOTES); ?>%;"><?php echo htmlspecialchars($strLinkQuality, ENT_QUOTES); ?>%
</div> </div>
</div> </div>
</div><!-- /.panel-body --> </div><!-- /.panel-body -->
@ -143,4 +143,3 @@ function DisplayDashboard(){
<?php <?php
} }
?>

View File

@ -12,15 +12,46 @@ function DisplayDHCPConfig() {
$status = new StatusMessages(); $status = new StatusMessages();
if( isset( $_POST['savedhcpdsettings'] ) ) { if( isset( $_POST['savedhcpdsettings'] ) ) {
if (CSRFValidate()) { if (CSRFValidate()) {
$config = 'interface='.$_POST['interface'].PHP_EOL $errors = '';
.'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].',255.255.255.0,'.$_POST['RangeLeaseTime'].''.$_POST['RangeLeaseTimeUnits']; define('IFNAMSIZ', 16);
exec( 'echo "'.$config.'" > /tmp/dhcpddata',$temp ); if (!preg_match('/^[a-zA-Z0-9]+$/', $_POST['interface']) ||
system( 'sudo cp /tmp/dhcpddata '. RASPI_DNSMASQ_CONFIG, $return ); strlen($_POST['interface']) >= IFNAMSIZ) {
$errors .= _('Invalid interface name.').'<br />'.PHP_EOL;
}
if( $return == 0 ) { if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeStart']) &&
!empty($_POST['RangeStart'])) { // allow ''/null ?
$errors .= _('Invalid DHCP range start.').'<br />'.PHP_EOL;
}
if (!preg_match('/^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\z/', $_POST['RangeEnd']) &&
!empty($_POST['RangeEnd'])) { // allow ''/null ?
$errors .= _('Invalid DHCP range end.').'<br />'.PHP_EOL;
}
if (!ctype_digit($_POST['RangeLeaseTime'])) {
$errors .= _('Invalid DHCP lease time, not a number.').'<br />'.PHP_EOL;
}
if (!in_array($_POST['RangeLeaseTimeUnits'], array('m', 'h', 'd', 'infinite'))) {
$errors .= _('Unknown DHCP lease time unit.').'<br />'.PHP_EOL;
}
$return = 1;
if (empty($errors)) {
$config = 'interface='.$_POST['interface'].PHP_EOL.
'dhcp-range='.$_POST['RangeStart'].','.$_POST['RangeEnd'].
',255.255.255.0,'.$_POST['RangeLeaseTime'].$_POST['RangeLeaseTimeUnits'];
exec('echo "'.$config.'" > /tmp/dhcpddata', $temp);
system('sudo cp /tmp/dhcpddata '.RASPI_DNSMASQ_CONFIG, $return);
} else {
$status->addMessage($errors, 'danger');
}
if ($return == 0) {
$status->addMessage('Dnsmasq configuration updated successfully', 'success'); $status->addMessage('Dnsmasq configuration updated successfully', 'success');
} else { } else {
$status->addMessage('Dnsmasq configuration failed to be updated', 'danger'); $status->addMessage('Dnsmasq configuration failed to be updated.', 'danger');
} }
} else { } else {
error_log('CSRF violation'); error_log('CSRF violation');
@ -83,14 +114,14 @@ function DisplayDHCPConfig() {
$dselected = ''; $dselected = '';
switch( $arrRangeLeaseTime[2] ) { switch( $arrRangeLeaseTime[2] ) {
case "h": case 'h':
$hselected = " selected"; $hselected = ' selected="selected"';
break; break;
case "m": case 'm':
$mselected = " selected"; $mselected = ' selected="selected"';
break; break;
case "d": case 'd':
$dselected = " selected"; $dselected = ' selected="selected"';
break; break;
} }
@ -119,42 +150,49 @@ function DisplayDHCPConfig() {
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Interface</label> <label for="code">Interface</label>
<select class="form-control" name="interface"> <select class="form-control" name="interface">
<?php <?php
exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces); exec("ip -o link show | awk -F': ' '{print $2}'", $interfaces);
foreach( $interfaces as $int ) { foreach( $interfaces as $inet ) {
$select = ''; $select = '';
if( $int == $conf['interface'] ) { if( $inet === $conf['interface'] ) {
$select = " selected"; $select = ' selected="selected"'; // FIXED use xhtml valid attribute
} }
echo '<option value="'.$int.'"'.$select.'>'.$int.'</option>';
echo ' <option value="'.htmlspecialchars($inet, ENT_QUOTES).'"'.
$select.'>'.htmlspecialchars($inet, ENT_QUOTES).'</option>' , PHP_EOL;
} }
?> ?>
</select> </select>
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code"><?php echo _("Starting IP Address"); ?></label> <label for="code"><?php echo _("Starting IP Address"); ?></label>
<input type="text" class="form-control"name="RangeStart" value="<?php echo $RangeStart; ?>" /> <input type="text" class="form-control"name="RangeStart" value="<?php echo htmlspecialchars($RangeStart, ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code"><?php echo _("Ending IP Address"); ?></label> <label for="code"><?php echo _("Ending IP Address"); ?></label>
<input type="text" class="form-control" name="RangeEnd" value="<?php echo $RangeEnd; ?>" /> <input type="text" class="form-control" name="RangeEnd" value="<?php echo htmlspecialchars($RangeEnd, ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-xs-2 col-sm-2"> <div class="form-group col-xs-2 col-sm-2">
<label for="code"><?php echo _("Lease Time"); ?></label> <label for="code"><?php echo _("Lease Time"); ?></label>
<input type="text" class="form-control" name="RangeLeaseTime" value="<?php echo $arrRangeLeaseTime[1]; ?>" /> <input type="text" class="form-control" name="RangeLeaseTime" value="<?php echo htmlspecialchars($arrRangeLeaseTime[1], ENT_QUOTES); ?>" />
</div> </div>
<div class="col-xs-2 col-sm-2"> <div class="col-xs-2 col-sm-2">
<label for="code"><?php echo _("Interval"); ?></label> <label for="code"><?php echo _("Interval"); ?></label>
<select name="RangeLeaseTimeUnits" class="form-control" ><option value="m" <?php echo $mselected; ?>>Minute(s)</option><option value="h" <?php echo $hselected; ?>>Hour(s)</option><option value="d" <?php echo $dselected; ?>>Day(s)</option><option value="infinite">Infinite</option></select> <select name="RangeLeaseTimeUnits" class="form-control" >
<option value="m" <?php echo $mselected; ?>>Minute(s)</option>
<option value="h" <?php echo $hselected; ?>>Hour(s)</option>
<option value="d" <?php echo $dselected; ?>>Day(s)</option>
<option value="infinite">Infinite</option>
</select>
</div> </div>
</div> </div>
@ -166,7 +204,7 @@ function DisplayDHCPConfig() {
} else { } else {
echo'<input type="submit" class="btn btn-success" value="' . _("Start dnsmasq") . '" name="startdhcpd" />'; echo'<input type="submit" class="btn btn-success" value="' . _("Start dnsmasq") . '" name="startdhcpd" />';
} }
?> ?>
</form> </form>
</div><!-- /.tab-pane --> </div><!-- /.tab-pane -->
@ -190,16 +228,18 @@ function DisplayDHCPConfig() {
</thead> </thead>
<tbody> <tbody>
<tr> <tr>
<?php <?php
exec( 'cat ' . RASPI_DNSMASQ_LEASES, $leases ); exec( 'cat ' . RASPI_DNSMASQ_LEASES, $leases );
foreach( $leases as $lease ) { foreach( $leases as $lease ) {
$lease_items = explode(' ', $lease); $lease_items = explode(' ', $lease);
foreach( $lease_items as $lease_item ) { foreach( $lease_items as $lease_item ) {
echo '<td>' . $lease_item . '</td>'; echo ' <td>'.htmlspecialchars($lease_item, ENT_QUOTES).'</td>'.PHP_EOL;
} }
echo '</tr>';
}; echo ' </tr>'.PHP_EOL;
?> };
?>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -210,12 +250,10 @@ function DisplayDHCPConfig() {
</div><!-- /.tab-pane --> </div><!-- /.tab-pane -->
</div><!-- /.tab-content --> </div><!-- /.tab-content -->
</div><!-- ./ Panel body --> </div><!-- ./ Panel body -->
<div class="panel-footer"> <?php echo _("Information provided by Dnsmasq");?></div> <div class="panel-footer"> <?php echo _("Information provided by Dnsmasq"); ?></div>
</div><!-- /.panel-primary --> </div><!-- /.panel-primary -->
</div><!-- /.col-lg-12 --> </div><!-- /.col-lg-12 -->
</div><!-- /.row --> </div><!-- /.row -->
<?php <?php
} }
?>

View File

@ -55,7 +55,7 @@ function safefilerewrite($fileName, $dataToSave) {
*/ */
function CSRFToken() { function CSRFToken() {
?> ?>
<input id="csrf_token" type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" /> <input id="csrf_token" type="hidden" name="csrf_token" value="<?php echo htmlspecialchars($_SESSION['csrf_token'], ENT_QUOTES);; ?>" />
<?php <?php
} }
@ -90,16 +90,19 @@ function isAssoc($arr) {
* *
*/ */
function SelectorOptions($name, $options, $selected = null) { function SelectorOptions($name, $options, $selected = null) {
echo "<select class=\"form-control\" name=\"$name\">"; echo '<select class="form-control" name="'.htmlspecialchars($name, ENT_QUOTES).'>' , PHP_EOL;
foreach ( $options as $opt => $label) { foreach ( $options as $opt => $label) {
$select = ''; $select = '';
$key = isAssoc($options) ? $opt : $label; $key = isAssoc($options) ? $opt : $label;
if( $key == $selected ) { if( $key == $selected ) {
$select = " selected"; $select = ' selected="selected"';
} }
echo "<option value=\"$key\"$select>$label</options>";
echo '<option value="'.htmlspecialchars($key, ENT_QUOTES).'"'.$select.'>'.
htmlspecialchars($label, ENT_QUOTES).'</options>' , PHP_EOL;
} }
echo "</select>";
echo '</select>' , PHP_EOL;
} }
/** /**
@ -221,16 +224,13 @@ function DisplayOpenVPNConfig() {
<div class="row"> <div class="row">
<div class="col-lg-12"> <div class="col-lg-12">
<div class="panel panel-primary"> <div class="panel panel-primary">
<div class="panel-heading"><i class="fa fa-lock fa-fw"></i> Configure OpenVPN <div class="panel-heading"><i class="fa fa-lock fa-fw"></i> Configure OpenVPN </div>
</div>
<!-- /.panel-heading --> <!-- /.panel-heading -->
<div class="panel-body"> <div class="panel-body">
<!-- Nav tabs --> <!-- Nav tabs -->
<ul class="nav nav-tabs"> <ul class="nav nav-tabs">
<li class="active"><a href="#openvpnclient" data-toggle="tab">Client settings</a> <li class="active"><a href="#openvpnclient" data-toggle="tab">Client settings</a></li>
</li> <li><a href="#openvpnserver" data-toggle="tab">Server settings</a></li>
<li><a href="#openvpnserver" data-toggle="tab">Server settings</a>
</li>
</ul> </ul>
<!-- Tab panes --> <!-- Tab panes -->
<div class="tab-content"> <div class="tab-content">
@ -249,7 +249,7 @@ function DisplayOpenVPNConfig() {
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Client Log</label> <label for="code">Client Log</label>
<input type="text" class="form-control" id="disabledInput" name="log-append" type="text" placeholder="<?php echo $arrClientConfig['log-append']; ?>" disabled /> <input type="text" class="form-control" id="disabledInput" name="log-append" type="text" placeholder="<?php echo htmlspecialchars($arrClientConfig['log-append'], ENT_QUOTES); ?>" disabled="disabled" />
</div> </div>
</div> </div>
</div> </div>
@ -258,54 +258,54 @@ function DisplayOpenVPNConfig() {
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Port</label> <label for="code">Port</label>
<input type="text" class="form-control" name="openvpn_port" value="<?php echo $arrServerConfig['port'] ?>" /> <input type="text" class="form-control" name="openvpn_port" value="<?php echo htmlspecialchars($arrServerConfig['port'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Protocol</label> <label for="code">Protocol</label>
<input type="text" class="form-control" name="openvpn_proto" value="<?php echo $arrServerConfig['proto'] ?>" /> <input type="text" class="form-control" name="openvpn_proto" value="<?php echo htmlspecialchars($arrServerConfig['proto'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Root CA certificate</label> <label for="code">Root CA certificate</label>
<input type="text" class="form-control" name="openvpn_rootca" placeholder="<?php echo $arrServerConfig['ca']; ?>" disabled /> <input type="text" class="form-control" name="openvpn_rootca" placeholder="<?php echo htmlspecialchars($arrServerConfig['ca'], ENT_QUOTES); ?>" disabled="disabled" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Server certificate</label> <label for="code">Server certificate</label>
<input type="text" class="form-control" name="openvpn_cert" placeholder="<?php echo $arrServerConfig['cert']; ?>" disabled /> <input type="text" class="form-control" name="openvpn_cert" placeholder="<?php echo htmlspecialchars($arrServerConfig['cert'], ENT_QUOTES); ?>" disabled="disabled" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Diffie Hellman parameters</label> <label for="code">Diffie Hellman parameters</label>
<input type="text" class="form-control" name="openvpn_dh" placeholder="<?php echo $arrServerConfig['dh']; ?>" disabled /> <input type="text" class="form-control" name="openvpn_dh" placeholder="<?php echo htmlspecialchars($arrServerConfig['dh'], ENT_QUOTES); ?>" disabled="disabled" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">KeepAlive</label> <label for="code">KeepAlive</label>
<input type="text" class="form-control" name="openvpn_keepalive" value="<?php echo $arrServerConfig['keepalive']; ?>" /> <input type="text" class="form-control" name="openvpn_keepalive" value="<?php echo htmlspecialchars($arrServerConfig['keepalive'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Server log</label> <label for="code">Server log</label>
<input type="text" class="form-control" name="openvpn_status" placeholder="<?php echo $arrServerConfig['status']; ?>" disabled /> <input type="text" class="form-control" name="openvpn_status" placeholder="<?php echo htmlspecialchars($arrServerConfig['status'], ENT_QUOTES); ?>" disabled="disabled" />
</div> </div>
</div> </div>
</div> </div>
<input type="submit" class="btn btn-outline btn-primary" name="SaveOpenVPNSettings" value="Save settings" /> <input type="submit" class="btn btn-outline btn-primary" name="SaveOpenVPNSettings" value="Save settings" />
<?php <?php
if($hostapdstatus[0] == 0) { if($hostapdstatus[0] == 0) {
echo '<input type="submit" class="btn btn-success" name="StartOpenVPN" value="Start OpenVPN" />'; echo '<input type="submit" class="btn btn-success" name="StartOpenVPN" value="Start OpenVPN" />' , PHP_EOL;
} else { } else {
echo '<input type="submit" class="btn btn-warning" name="StopOpenVPN" value="Stop OpenVPN" />'; echo '<input type="submit" class="btn btn-warning" name="StopOpenVPN" value="Stop OpenVPN" />' , PHP_EOL;
} }
?> ?>
</form> </form>
</div><!-- /.panel-body --> </div><!-- /.panel-body -->
</div><!-- /.panel-primary --> </div><!-- /.panel-primary -->
@ -332,6 +332,7 @@ function DisplayTorProxyConfig(){
<button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button></div>'; <button type="button" class="close" data-dismiss="alert" aria-hidden="true">×</button></div>';
} }
$arrConfig = array();
foreach( $return as $a ) { foreach( $return as $a ) {
if( $a[0] != "#" ) { if( $a[0] != "#" ) {
$arrLine = explode( " ",$a) ; $arrLine = explode( " ",$a) ;
@ -339,12 +340,11 @@ function DisplayTorProxyConfig(){
} }
} }
?> ?>
<div class="row"> <div class="row">
<div class="col-lg-12"> <div class="col-lg-12">
<div class="panel panel-primary"> <div class="panel panel-primary">
<div class="panel-heading"><i class="fa fa-eye-slash fa-fw"></i> Configure TOR proxy <div class="panel-heading"><i class="fa fa-eye-slash fa-fw"></i> Configure TOR proxy</div>
</div>
<!-- /.panel-heading --> <!-- /.panel-heading -->
<div class="panel-body"> <div class="panel-body">
<!-- Nav tabs --> <!-- Nav tabs -->
@ -365,37 +365,37 @@ function DisplayTorProxyConfig(){
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">VirtualAddrNetwork</label> <label for="code">VirtualAddrNetwork</label>
<input type="text" class="form-control" name="virtualaddrnetwork" value="<?php echo $arrConfig['VirtualAddrNetwork']; ?>" /> <input type="text" class="form-control" name="virtualaddrnetwork" value="<?php echo htmlspecialchars($arrConfig['VirtualAddrNetwork'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">AutomapHostsSuffixes</label> <label for="code">AutomapHostsSuffixes</label>
<input type="text" class="form-control" name="automaphostssuffixes" value="<?php echo $arrConfig['AutomapHostsSuffixes']; ?>" /> <input type="text" class="form-control" name="automaphostssuffixes" value="<?php echo htmlspecialchars($arrConfig['AutomapHostsSuffixes'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">AutomapHostsOnResolve</label> <label for="code">AutomapHostsOnResolve</label>
<input type="text" class="form-control" name="automaphostsonresolve" value="<?php echo $arrConfig['AutomapHostsOnResolve']; ?>" /> <input type="text" class="form-control" name="automaphostsonresolve" value="<?php echo htmlspecialchars($arrConfig['AutomapHostsOnResolve'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">TransListenAddress</label> <label for="code">TransListenAddress</label>
<input type="text" class="form-control" name="translistenaddress" value="<?php echo $arrConfig['TransListenAddress']; ?>" /> <input type="text" class="form-control" name="translistenaddress" value="<?php echo htmlspecialchars($arrConfig['TransListenAddress'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">DNSPort</label> <label for="code">DNSPort</label>
<input type="text" class="form-control" name="dnsport" value="<?php echo $arrConfig['DNSPort']; ?>" /> <input type="text" class="form-control" name="dnsport" value="<?php echo htmlspecialchars($arrConfig['DNSPort'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">DNSListenAddress</label> <label for="code">DNSListenAddress</label>
<input type="text" class="form-control" name="dnslistenaddress" value="<?php echo $arrConfig['DNSListenAddress']; ?>" /> <input type="text" class="form-control" name="dnslistenaddress" value="<?php echo htmlspecialchars($arrConfig['DNSListenAddress'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
</div> </div>
@ -404,37 +404,37 @@ function DisplayTorProxyConfig(){
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">ORPort</label> <label for="code">ORPort</label>
<input type="text" class="form-control" name="orport" value="<?php echo $arrConfig['ORPort']; ?>" /> <input type="text" class="form-control" name="orport" value="<?php echo htmlspecialchars($arrConfig['ORPort'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">ORListenAddress</label> <label for="code">ORListenAddress</label>
<input type="text" class="form-control" name="orlistenaddress" value="<?php echo $arrConfig['ORListenAddress']; ?>" /> <input type="text" class="form-control" name="orlistenaddress" value="<?php echo htmlspecialchars($arrConfig['ORListenAddress'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Nickname</label> <label for="code">Nickname</label>
<input type="text" class="form-control" name="nickname" value="<?php echo $arrConfig['Nickname']; ?>" /> <input type="text" class="form-control" name="nickname" value="<?php echo htmlspecialchars($arrConfig['Nickname'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">Address</label> <label for="code">Address</label>
<input type="text" class="form-control" name="address" value="<?php echo $arrConfig['Address']; ?>" /> <input type="text" class="form-control" name="address" value="<?php echo htmlspecialchars($arrConfig['Address'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">RelayBandwidthRate</label> <label for="code">RelayBandwidthRate</label>
<input type="text" class="form-control" name="relaybandwidthrate" value="<?php echo $arrConfig['RelayBandwidthRate']; ?>" /> <input type="text" class="form-control" name="relaybandwidthrate" value="<?php echo htmlspecialchars($arrConfig['RelayBandwidthRate'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code">RelayBandwidthBurst</label> <label for="code">RelayBandwidthBurst</label>
<input type="text" class="form-control" name="relaybandwidthburst" value="<?php echo $arrConfig['RelayBandwidthBurst']; ?>" /> <input type="text" class="form-control" name="relaybandwidthburst" value="<?php echo htmlspecialchars($arrConfig['RelayBandwidthBurst'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
</div> </div>
@ -442,9 +442,9 @@ function DisplayTorProxyConfig(){
<input type="submit" class="btn btn-outline btn-primary" name="SaveTORProxySettings" value="Save settings" /> <input type="submit" class="btn btn-outline btn-primary" name="SaveTORProxySettings" value="Save settings" />
<?php <?php
if( $torproxystatus[0] == 0 ) { if( $torproxystatus[0] == 0 ) {
echo '<input type="submit" class="btn btn-success" name="StartTOR" value="Start TOR" />'; echo '<input type="submit" class="btn btn-success" name="StartTOR" value="Start TOR" />' , PHP_EOL;
} else { } else {
echo '<input type="submit" class="btn btn-warning" name="StopTOR" value="Stop TOR" />'; echo '<input type="submit" class="btn btn-warning" name="StopTOR" value="Stop TOR" />' , PHP_EOL;
}; };
?> ?>
</form> </form>
@ -470,26 +470,26 @@ function SaveTORAndVPNConfig(){
echo "Attempting to start openvpn"; echo "Attempting to start openvpn";
exec( 'sudo /etc/init.d/openvpn start', $return ); exec( 'sudo /etc/init.d/openvpn start', $return );
foreach( $return as $line ) { foreach( $return as $line ) {
echo $line."<br />"; echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
} }
} elseif( isset($_POST['StopOpenVPN']) ) { } elseif( isset($_POST['StopOpenVPN']) ) {
echo "Attempting to stop openvpn"; echo "Attempting to stop openvpn";
exec( 'sudo /etc/init.d/openvpn stop', $return ); exec( 'sudo /etc/init.d/openvpn stop', $return );
foreach( $return as $line ) { foreach( $return as $line ) {
echo $line."<br />"; echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
} }
} elseif( isset($_POST['StartTOR']) ) { } elseif( isset($_POST['StartTOR']) ) {
echo "Attempting to start TOR"; echo "Attempting to start TOR";
exec( 'sudo /etc/init.d/tor start', $return ); exec( 'sudo /etc/init.d/tor start', $return );
foreach( $return as $line ) { foreach( $return as $line ) {
echo $line."<br />"; echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
} }
} elseif( isset($_POST['StopTOR']) ) { } elseif( isset($_POST['StopTOR']) ) {
echo "Attempting to stop TOR"; echo "Attempting to stop TOR";
exec( 'sudo /etc/init.d/tor stop', $return ); exec( 'sudo /etc/init.d/tor stop', $return );
foreach( $return as $line ) { foreach( $return as $line ) {
echo $line."<br />"; echo htmlspecialchars($line, ENT_QUOTES).'<br />' , PHP_EOL;
} }
} }
} }
?>

View File

@ -62,7 +62,8 @@ function DisplayHostAPDConfig(){
$arrConfig[$arrLine[0]]=$arrLine[1]; $arrConfig[$arrLine[0]]=$arrLine[1];
} }
}; };
?>
?>
<div class="row"> <div class="row">
<div class="col-lg-12"> <div class="col-lg-12">
<div class="panel panel-primary"> <div class="panel panel-primary">
@ -96,7 +97,7 @@ function DisplayHostAPDConfig(){
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code"><?php echo _("SSID"); ?></label> <label for="code"><?php echo _("SSID"); ?></label>
<input type="text" class="form-control" name="ssid" value="<?php echo $arrConfig['ssid']; ?>" /> <input type="text" class="form-control" name="ssid" value="<?php echo htmlspecialchars($arrConfig['ssid'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
<div class="row"> <div class="row">
@ -129,7 +130,7 @@ function DisplayHostAPDConfig(){
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code"><?php echo _("PSK"); ?></label> <label for="code"><?php echo _("PSK"); ?></label>
<input type="text" class="form-control" name="wpa_passphrase" value="<?php echo $arrConfig['wpa_passphrase'] ?>" /> <input type="text" class="form-control" name="wpa_passphrase" value="<?php echo htmlspecialchars($arrConfig['wpa_passphrase'], ENT_QUOTES); ?>" />
</div> </div>
</div> </div>
</div> </div>
@ -140,7 +141,7 @@ function DisplayHostAPDConfig(){
<?php <?php
if($arrHostapdConf['LogEnable'] == 1) { if($arrHostapdConf['LogEnable'] == 1) {
$log = file_get_contents('/tmp/hostapd.log'); $log = file_get_contents('/tmp/hostapd.log');
echo '<br /><textarea class="logoutput">'.$log.'</textarea>'; echo '<br /><textarea class="logoutput">'.htmlspecialchars($log, ENT_QUOTES).'</textarea>';
} else { } else {
echo "<br />Logfile output not enabled"; echo "<br />Logfile output not enabled";
} }
@ -154,8 +155,14 @@ function DisplayHostAPDConfig(){
<div class="col-md-4"> <div class="col-md-4">
<div class="form-check"> <div class="form-check">
<label class="form-check-label"> <label class="form-check-label">
<?php echo _("Enable logging"); ?> <?php $checked = ''; if($arrHostapdConf['LogEnable'] == 1) { $checked = 'checked'; } ?> <?php echo _("Enable logging");
<input id="logEnable" name ="logEnable" type="checkbox" class="form-check-input" value="1" <?php echo $checked; ?> /> $checked = '';
if ($arrHostapdConf['LogEnable'] == 1) {
$checked = ' checked="checked"';
}
?>
<input id="logEnable" name ="logEnable" type="checkbox" class="form-check-input" value="1"<?php echo $checked; ?> />
</label> </label>
</div> </div>
</div> </div>
@ -163,7 +170,7 @@ function DisplayHostAPDConfig(){
<div class="row"> <div class="row">
<div class="form-group col-md-4"> <div class="form-group col-md-4">
<label for="code"><?php echo _("Country Code"); ?></label> <label for="code"><?php echo _("Country Code"); ?></label>
<input type="hidden" id="selected_country" value="<?php echo $arrConfig['country_code'] ?>"> <input type="hidden" id="selected_country" value="<?php echo htmlspecialchars($arrConfig['country_code'], ENT_QUOTES); ?>">
<select class="form-control" id="countries" name="country_code"> <select class="form-control" id="countries" name="country_code">
<option value="AF">Afghanistan</option> <option value="AF">Afghanistan</option>
<option value="AX">Åland Islands</option> <option value="AX">Åland Islands</option>
@ -415,28 +422,29 @@ function DisplayHostAPDConfig(){
<option value="ZM">Zambia</option> <option value="ZM">Zambia</option>
<option value="ZW">Zimbabwe</option> <option value="ZW">Zimbabwe</option>
</select> </select>
<script> <script type="text/javascript">
country = document.getElementById("selected_country").value; var country = document.getElementById("selected_country").value;
countries = document.getElementById("countries"); var countries = document.getElementById("countries");
ops = countries.getElementsByTagName("option"); var ops = countries.getElementsByTagName("option");
for(i = 0;i < ops.length; i++) { for (var i = 0; i < ops.length; ++i) {
if(ops[i].value == country){ if(ops[i].value == country){
ops[i].selected=true; ops[i].selected=true;
break; break;
} }
} }
</script>
</script>
</div> </div>
</div><!-- /.panel-body --> </div><!-- /.panel-body -->
</div><!-- /.panel-primary --> </div><!-- /.panel-primary -->
<input type="submit" class="btn btn-outline btn-primary" name="SaveHostAPDSettings" value="<?php echo _("Save settings"); ?>" /> <input type="submit" class="btn btn-outline btn-primary" name="SaveHostAPDSettings" value="<?php echo _("Save settings"); ?>" />
<?php <?php
if($hostapdstatus[0] == 0) { if($hostapdstatus[0] == 0) {
echo '<input type="submit" class="btn btn-success" name="StartHotspot" value="' . _("Start hotspot") . '"/>'; echo '<input type="submit" class="btn btn-success" name="StartHotspot" value="' . _("Start hotspot") . '"/>' , PHP_EOL;
} else { } else {
echo '<input type="submit" class="btn btn-warning" name="StopHotspot" value="' . _("Stop hotspot") . '"/>'; echo '<input type="submit" class="btn btn-warning" name="StopHotspot" value="' . _("Stop hotspot") . '"/>' , PHP_EOL;
}; };
?> ?>
</form> </form>
</div></div><!-- /.panel-primary --> </div></div><!-- /.panel-primary -->
<div class="panel-footer"> <?php echo _("Information provided by hostapd"); ?></div> <div class="panel-footer"> <?php echo _("Information provided by hostapd"); ?></div>
@ -448,12 +456,17 @@ function DisplayHostAPDConfig(){
function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status) { function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status) {
// It should not be possible to send bad data for these fields so clearly // It should not be possible to send bad data for these fields so clearly
// someone is up to something if they fail. Fail silently. // someone is up to something if they fail. Fail silently.
if (!(array_key_exists($_POST['wpa'], $wpa_array) && array_key_exists($_POST['wpa_pairwise'], $enc_types) && in_array($_POST['hw_mode'], $modes))) { if (!(array_key_exists($_POST['wpa'], $wpa_array) &&
error_log("Attempting to set hostapd config with wpa='".$_POST['wpa']."', wpa_pairwise='".$_POST['wpa_pairwise']."' and hw_mode='".$_POST['hw_mode']."'"); array_key_exists($_POST['wpa_pairwise'], $enc_types) &&
in_array($_POST['hw_mode'], $modes))) {
error_log("Attempting to set hostapd config with wpa='".$_POST['wpa']."', wpa_pairwise='".$_POST['wpa_pairwise']."' and hw_mode='".$_POST['hw_mode']."'"); // FIXME: log injection
return false; return false;
} }
if ((!filter_var($_POST['channel'], FILTER_VALIDATE_INT)) || intval($_POST['channel']) < 1 || intval($_POST['channel']) > 14) {
error_log("Attempting to set channel to '".$_POST['channel']."'"); if ((!filter_var($_POST['channel'], FILTER_VALIDATE_INT)) ||
intval($_POST['channel']) < 1 ||
intval($_POST['channel']) > 14) {
error_log("Attempting to set channel to '".$_POST['channel']."'"); // FIXME: log injection
return false; return false;
} }
@ -477,25 +490,29 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status)
exec('sudo /etc/raspap/hostapd/disablelog.sh'); exec('sudo /etc/raspap/hostapd/disablelog.sh');
} }
} }
write_php_ini(["LogEnable" => $logEnable],'/etc/raspap/hostapd.ini'); write_php_ini(["LogEnable" => $logEnable],'/etc/raspap/hostapd.ini');
// Verify input // Verify input
if (strlen($_POST['ssid']) == 0 || strlen($_POST['ssid']) > 32) { if (empty($_POST['ssid']) || strlen($_POST['ssid']) > 32) {
// Not sure of all the restrictions of SSID // Not sure of all the restrictions of SSID
$status->addMessage('SSID must be between 1 and 32 characters', 'danger'); $status->addMessage('SSID must be between 1 and 32 characters', 'danger');
$good_input = false; $good_input = false;
} }
if (strlen($_POST['wpa_passphrase']) < 8 || strlen($_POST['wpa_passphrase']) > 63) { if (strlen($_POST['wpa_passphrase']) < 8 || strlen($_POST['wpa_passphrase']) > 63) {
$status->addMessage('WPA passphrase must be between 8 and 63 characters', 'danger'); $status->addMessage('WPA passphrase must be between 8 and 63 characters', 'danger');
$good_input = false; $good_input = false;
} }
if (! in_array($_POST['interface'], $interfaces)) { if (! in_array($_POST['interface'], $interfaces)) {
// The user is probably up to something here but it may also be a // The user is probably up to something here but it may also be a
// genuine error. // genuine error.
$status->addMessage('Unknown interface '.$_POST['interface'], 'danger'); $status->addMessage('Unknown interface '.$_POST['interface'], 'danger');
$good_input = false; $good_input = false;
} }
if (strlen($_POST['country_code']) != 0 && strlen($_POST['country_code']) != 2) {
if (strlen($_POST['country_code']) !== 0 && strlen($_POST['country_code']) != 2) {
$status->addMessage('Country code must be blank or two characters', 'danger'); $status->addMessage('Country code must be blank or two characters', 'danger');
$good_input = false; $good_input = false;
} }
@ -510,6 +527,7 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status)
fwrite($tmp_file, 'auth_algs=1'.PHP_EOL); fwrite($tmp_file, 'auth_algs=1'.PHP_EOL);
fwrite($tmp_file, 'wpa_key_mgmt=WPA-PSK'.PHP_EOL); fwrite($tmp_file, 'wpa_key_mgmt=WPA-PSK'.PHP_EOL);
// TODO: deal with ini file value escaping. E.g. ssid=E=mc2 becomes ssid=E\=mc2
fwrite($tmp_file, 'ssid='.$_POST['ssid'].PHP_EOL); fwrite($tmp_file, 'ssid='.$_POST['ssid'].PHP_EOL);
fwrite($tmp_file, 'channel='.$_POST['channel'].PHP_EOL); fwrite($tmp_file, 'channel='.$_POST['channel'].PHP_EOL);
fwrite($tmp_file, 'hw_mode='.$_POST['hw_mode'].PHP_EOL); fwrite($tmp_file, 'hw_mode='.$_POST['hw_mode'].PHP_EOL);
@ -531,6 +549,7 @@ function SaveHostAPDConfig($wpa_array, $enc_types, $modes, $interfaces, $status)
return false; return false;
} }
} }
return true; return true;
} }
?>

View File

@ -30,7 +30,7 @@ function DisplayNetworkingConfig(){
<li role="presentation" class="active"><a href="#summary" aria-controls="summary" role="tab" data-toggle="tab"><?php echo _("Summary"); ?></a></li> <li role="presentation" class="active"><a href="#summary" aria-controls="summary" role="tab" data-toggle="tab"><?php echo _("Summary"); ?></a></li>
<?php <?php
foreach($interfaces as $interface) { foreach($interfaces as $interface) {
echo '<li role="presentation"><a href="#'.$interface.'" aria-controls="'.$interface.'" role="tab" data-toggle="tab">'.$interface.'</a></li>'; echo '<li role="presentation"><a href="#'.htmlspecialchars($interface, ENT_QUOTES).'" aria-controls="'.htmlspecialchars($interface, ENT_QUOTES).'" role="tab" data-toggle="tab">'.htmlspecialchars($interface, ENT_QUOTES).'</a></li>';
} }
?> ?>
</ul> </ul>
@ -42,8 +42,8 @@ function DisplayNetworkingConfig(){
foreach($interfaces as $interface) { foreach($interfaces as $interface) {
echo '<div class="col-md-6"> echo '<div class="col-md-6">
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-heading">'.$interface.'</div> <div class="panel-heading">'.htmlspecialchars($interface, ENT_QUOTES).'</div>
<div class="panel-body" id="'.$interface.'-summary"></div> <div class="panel-body" id="'.htmlspecialchars($interface, ENT_QUOTES).'-summary"></div>
</div> </div>
</div>'; </div>';
} }
@ -55,63 +55,63 @@ function DisplayNetworkingConfig(){
</div><!-- /.row --> </div><!-- /.row -->
</div><!-- /.col-lg-12 --> </div><!-- /.col-lg-12 -->
</div><!-- /.tab-pane --> </div><!-- /.tab-pane -->
<?php <?php
foreach($interfaces as $interface) { foreach($interfaces as $interface) {
echo ' echo '
<div role="tabpanel" class="tab-pane fade in" id="'.$interface.'"> <div role="tabpanel" class="tab-pane fade in" id="'.htmlspecialchars($interface, ENT_QUOTES).'">
<div class="row"> <div class="row">
<div class="col-lg-6"> <div class="col-lg-6">
<form id="frm-'.$interface.'"> <form id="frm-'.htmlspecialchars($interface, ENT_QUOTES).'">
<div class="form-group"> <div class="form-group">
<h4>' . _("Adapter IP Address Settings") . '</h4> <h4>' . _("Adapter IP Address Settings") . '</h4>
<div class="btn-group" data-toggle="buttons"> <div class="btn-group" data-toggle="buttons">
<label class="btn btn-primary"> <label class="btn btn-primary">
<input type="radio" name="'.$interface.'-addresstype" id="'.$interface.'-dhcp" autocomplete="off">' . _("DHCP") . ' <input type="radio" name="'.htmlspecialchars($interface, ENT_QUOTES).'-addresstype" id="'.htmlspecialchars($interface, ENT_QUOTES).'-dhcp" autocomplete="off">' . _("DHCP") . '
</label> </label>
<label class="btn btn-primary"> <label class="btn btn-primary">
<input type="radio" name="'.$interface.'-addresstype" id="'.$interface.'-static" autocomplete="off">' . _("Static IP") . ' <input type="radio" name="'.htmlspecialchars($interface, ENT_QUOTES).'-addresstype" id="'.htmlspecialchars($interface, ENT_QUOTES).'-static" autocomplete="off">' . _("Static IP") . '
</label> </label>
</div><!-- /.btn-group --> </div><!-- /.btn-group -->
<h4>' . _("Enable Fallback to Static Option") . '</h4> <h4>' . _("Enable Fallback to Static Option") . '</h4>
<div class="btn-group" data-toggle="buttons"> <div class="btn-group" data-toggle="buttons">
<label class="btn btn-primary"> <label class="btn btn-primary">
<input type="radio" name="'.$interface.'-dhcpfailover" id="'.$interface.'-failover" autocomplete="off">' . _("Enabled") . ' <input type="radio" name="'.htmlspecialchars($interface, ENT_QUOTES).'-dhcpfailover" id="'.htmlspecialchars($interface, ENT_QUOTES).'-failover" autocomplete="off">' . _("Enabled") . '
</label> </label>
<label class="btn btn-warning"> <label class="btn btn-warning">
<input type="radio" name="'.$interface.'-dhcpfailover" id="'.$interface.'-nofailover" autocomplete="off">' . _("Disabled") . ' <input type="radio" name="'.htmlspecialchars($interface, ENT_QUOTES).'-dhcpfailover" id="'.htmlspecialchars($interface, ENT_QUOTES).'-nofailover" autocomplete="off">' . _("Disabled") . '
</label> </label>
</div><!-- /.btn-group --> </div><!-- /.btn-group -->
</div><!-- /.form-group --> </div><!-- /.form-group -->
<hr /> <hr />
<h4>' . _("Static IP Options") . '</h4> <h4>' . _("Static IP Options") . '</h4>
<div class="form-group"> <div class="form-group">
<label for="'.$interface.'-ipaddress">' . _("IP Address") . '</label> <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-ipaddress">' . _("IP Address") . '</label>
<input type="text" class="form-control" id="'.$interface.'-ipaddress" placeholder="0.0.0.0"> <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-ipaddress" placeholder="0.0.0.0">
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="'.$interface.'-netmask">' . _("Subnet Mask") . '</label> <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-netmask">' . _("Subnet Mask") . '</label>
<input type="text" class="form-control" id="'.$interface.'-netmask" placeholder="255.255.255.0"> <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-netmask" placeholder="255.255.255.0">
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="'.$interface.'-gateway">' . _("Default Gateway") . '</label> <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-gateway">' . _("Default Gateway") . '</label>
<input type="text" class="form-control" id="'.$interface.'-gateway" placeholder="0.0.0.0"> <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-gateway" placeholder="0.0.0.0">
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="'.$interface.'-dnssvr">' . _("DNS Server") . '</label> <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-dnssvr">' . _("DNS Server") . '</label>
<input type="text" class="form-control" id="'.$interface.'-dnssvr" placeholder="0.0.0.0"> <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-dnssvr" placeholder="0.0.0.0">
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="'.$interface.'-dnssvralt">' . _("Alternate DNS Server") . '</label> <label for="'.htmlspecialchars($interface, ENT_QUOTES).'-dnssvralt">' . _("Alternate DNS Server") . '</label>
<input type="text" class="form-control" id="'.$interface.'-dnssvralt" placeholder="0.0.0.0"> <input type="text" class="form-control" id="'.htmlspecialchars($interface, ENT_QUOTES).'-dnssvralt" placeholder="0.0.0.0">
</div> </div>
<a href="#" class="btn btn-outline btn-primary intsave" data-int="'.$interface.'">' . _("Save settings") . '</a> <a href="#" class="btn btn-outline btn-primary intsave" data-int="'.htmlspecialchars($interface, ENT_QUOTES).'">' . _("Save settings") . '</a>
<a href="#" class="btn btn-warning intapply" data-int="'.$interface.'">' . _("Apply settings") . '</a> <a href="#" class="btn btn-warning intapply" data-int="'.htmlspecialchars($interface, ENT_QUOTES).'">' . _("Apply settings") . '</a>
</form> </form>
</div> </div>
</div><!-- /.tab-panel --> </div><!-- /.tab-panel -->
</div>'; </div>';
} }
?> ?>
</div><!-- /.tab-content --> </div><!-- /.tab-content -->
</div><!-- /.panel-body --> </div><!-- /.panel-body -->
<div class="panel-footer"><?php echo _("Information provided by /sys/class/net"); ?></div> <div class="panel-footer"><?php echo _("Information provided by /sys/class/net"); ?></div>

View File

@ -35,6 +35,8 @@ function RPiVersion() {
'a02082' => 'Pi 3 Model B', 'a02082' => 'Pi 3 Model B',
'a22082' => 'Pi 3 Model B' 'a22082' => 'Pi 3 Model B'
); );
$cpuinfo_array = '';
exec('cat /proc/cpuinfo', $cpuinfo_array); exec('cat /proc/cpuinfo', $cpuinfo_array);
$rev = trim(array_pop(explode(':',array_pop(preg_grep("/^Revision/", $cpuinfo_array))))); $rev = trim(array_pop(explode(':',array_pop(preg_grep("/^Revision/", $cpuinfo_array)))));
if (array_key_exists($rev, $revisions)) { if (array_key_exists($rev, $revisions)) {
@ -141,23 +143,23 @@ function DisplaySystem(){
<div class="row"> <div class="row">
<div class="col-lg-6"> <div class="col-lg-6">
<h4><?php echo _("System Information"); ?></h4> <h4><?php echo _("System Information"); ?></h4>
<div class="info-item"><?php echo _("Hostname"); ?></div> <?php echo $hostname ?></br> <div class="info-item"><?php echo _("Hostname"); ?></div> <?php echo htmlspecialchars($hostname, ENT_QUOTES); ?></br>
<div class="info-item"><?php echo _("Pi Revision"); ?></div> <?php echo RPiVersion() ?></br> <div class="info-item"><?php echo _("Pi Revision"); ?></div> <?php echo htmlspecialchars(RPiVersion(), ENT_QUOTES); ?></br>
<div class="info-item"><?php echo _("Uptime"); ?></div> <?php echo $uptime ?></br></br> <div class="info-item"><?php echo _("Uptime"); ?></div> <?php echo htmlspecialchars($uptime, ENT_QUOTES); ?></br></br>
<div class="info-item"><?php echo _("Memory Used"); ?></div> <div class="info-item"><?php echo _("Memory Used"); ?></div>
<div class="progress"> <div class="progress">
<div class="progress-bar progress-bar-<?php echo $memused_status ?> progress-bar-striped active" <div class="progress-bar progress-bar-<?php echo htmlspecialchars($memused_status, ENT_QUOTES); ?> progress-bar-striped active"
role="progressbar" role="progressbar"
aria-valuenow="<?php echo $memused ?>" aria-valuemin="0" aria-valuemax="100" aria-valuenow="<?php echo htmlspecialchars($memused, ENT_QUOTES); ?>" aria-valuemin="0" aria-valuemax="100"
style="width: <?php echo $memused ?>%;"><?php echo $memused ?>% style="width: <?php echo htmlspecialchars($memused, ENT_QUOTES); ?>%;"><?php echo htmlspecialchars($memused, ENT_QUOTES); ?>%
</div> </div>
</div> </div>
<div class="info-item"><?php echo _("CPU Load"); ?></div> <div class="info-item"><?php echo _("CPU Load"); ?></div>
<div class="progress"> <div class="progress">
<div class="progress-bar progress-bar-<?php echo $cpuload_status ?> progress-bar-striped active" <div class="progress-bar progress-bar-<?php echo htmlspecialchars($cpuload_status, ENT_QUOTES); ?> progress-bar-striped active"
role="progressbar" role="progressbar"
aria-valuenow="<?php echo $cpuload ?>" aria-valuemin="0" aria-valuemax="100" aria-valuenow="<?php echo htmlspecialchars($cpuload, ENT_QUOTES); ?>" aria-valuemin="0" aria-valuemax="100"
style="width: <?php echo $cpuload ?>%;"><?php echo $cpuload ?>% style="width: <?php echo htmlspecialchars($cpuload, ENT_QUOTES); ?>%;"><?php echo htmlspecialchars($cpuload, ENT_QUOTES); ?>%
</div> </div>
</div> </div>
@ -200,9 +202,9 @@ function DisplaySystem(){
</form> </form>
</div><!-- /.panel-primary --> </div><!-- /.panel-primary -->
<div class="panel-footer"></div> <div class="panel-footer"></div>
</div><!-- /.panel-primary -->
</div><!-- /.col-lg-12 --> </div><!-- /.col-lg-12 -->
</div><!-- /.row --> </div><!-- /.row -->
</xdiv>
<?php <?php
} }
?>

View File

@ -11,13 +11,13 @@ function DisplayThemeConfig(){
switch( $_COOKIE['theme'] ) { switch( $_COOKIE['theme'] ) {
case "custom.css": case "custom.css":
$cselected = "selected"; $cselected = ' selected="selected"';
break; break;
case "hackernews.css": case "hackernews.css":
$hselected = "selected"; $hselected = ' selected="selected"';
break; break;
case "terminal.css": case "terminal.css":
$tselected = "selected"; $tselected = ' selected="selected"';
break; break;
} }
@ -37,9 +37,9 @@ function DisplayThemeConfig(){
<div class="form-group col-md-6"> <div class="form-group col-md-6">
<label for="code"><?php echo _("Select a theme"); ?></label> <label for="code"><?php echo _("Select a theme"); ?></label>
<select class="form-control" id="theme-select"><?php echo _("Select a Theme"); ?> <select class="form-control" id="theme-select"><?php echo _("Select a Theme"); ?>
<option value="default" class="theme-link" <?php echo $cselected; ?>>RaspAP (default)</option> <option value="default" class="theme-link"<?php echo $cselected; ?>>RaspAP (default)</option>
<option value="hackernews" class="theme-link"<?php echo $hselected; ?>>HackerNews</option> <option value="hackernews" class="theme-link"<?php echo $hselected; ?>>HackerNews</option>
<option value="terminal" class="theme-link" <?php echo $tselected; ?>>Terminal</option> <option value="terminal" class="theme-link"<?php echo $tselected; ?>>Terminal</option>
</select> </select>
</div> </div>
</div> </div>
@ -59,5 +59,4 @@ function DisplayThemeConfig(){
</div><!-- /.row --> </div><!-- /.row -->
<?php <?php
} }
?>