firewall.cgi: Fixes XSS potential

- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
   Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
   ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
   free rulenumber digit

Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi
index 5f1eac09e6612a7ea9db8eb39c4a2b91d0ee67f8..20e6a95e457350e11d3d97f3f505f08b9f08c7bf 100644 (file)
--- a/html/cgi-bin/firewall.cgi
+++ b/html/cgi-bin/firewall.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
+# Copyright (C) 2013-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -2351,6 +2351,7 @@ sub saverule
                $fwdfwsettings{'ruleremark'}=~ s/,/;/g;
                utf8::decode($fwdfwsettings{'ruleremark'});
                $fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'});
+               $fwdfwsettings{'PROT'}=&Header::escape($fwdfwsettings{'PROT'});
                if ($fwdfwsettings{'updatefwrule'} ne 'on'){
                        my $key = &General::findhasharraykey ($hash);
                        $$hash{$key}[0]  = $fwdfwsettings{'RULE_ACTION'};