]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9150cbd)
fwhosts.cgi Fix for bug 13876 & bug 13877
authorAdolf Belka <adolf.belka@ipfire.org>
Thu, 25 Sep 2025 11:12:37 +0000 (13:12 +0200)
committerMichael Tremer <michael.tremer@ipfire.org>
Thu, 2 Oct 2025 16:54:33 +0000 (16:54 +0000)
Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting
Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
html/cgi-bin/fwhosts.cgi patch | blob | blame | history

diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi
index 953f81e5f9d6e9863cd54794baf8417eb53fd2ad..a666969b0c949779b77b5b9fcf2b8d31498cf0ec 100644 (file)
--- a/html/cgi-bin/fwhosts.cgi
+++ b/html/cgi-bin/fwhosts.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2013 Alexander Marx <amarx@ipfire.org>                        #
+# Copyright (C) 2013-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -714,7 +714,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp')
        }
 
        if ($fwhostsettings{'update'} eq 'on'){
-               @target=$fwhostsettings{'COUNTRY_CODE'};
+               @target=&Header::escape($fwhostsettings{'COUNTRY_CODE'});
                $type='Location Group';
 
                #check if host/net exists in grp
@@ -796,7 +796,7 @@ if ($fwhostsettings{'ACTION'} eq 'saveservice')
                foreach my $i (0 .. 4) { $customservice{$key}[$i] = "";}
                $customservice{$key}[0] = $fwhostsettings{'SRV_NAME'};
                $customservice{$key}[1] = $fwhostsettings{'SRV_PORT'};
-               $customservice{$key}[2] = $fwhostsettings{'PROT'};
+               $customservice{$key}[2] = &Header::escape($fwhostsettings{'PROT'});
                $customservice{$key}[3] = $ICMP;
                &General::writehasharray("$configsrv", \%customservice );
                #reset fields
IPFire 2.x development tree