From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 10 Apr 2024 10:34:45 +0000 (+0200)
Subject: ovpnmain.cgi: Fix checking custom routes
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c38818eb82b051fd60ef0e513d2c626a1cd462e6;p=people%2Fms%2Fipfire-2.x.git

ovpnmain.cgi: Fix checking custom routes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/doc/language_issues.de b/doc/language_issues.de
index cb1e0584a..c9678af2d 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -603,6 +603,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn error md5
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn log
@@ -1013,6 +1015,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.en b/doc/language_issues.en
index 686f5f6e6..0277f0b00 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1437,8 +1437,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
-WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set
-WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-address or subnetmask
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.es b/doc/language_issues.es
index dd65458b2..41f74e1bb 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -658,6 +658,8 @@ WARNING: translation string unused: ovpn dh parameters
 WARNING: translation string unused: ovpn dh upload
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn error dh
 WARNING: translation string unused: ovpn error md5
 WARNING: translation string unused: ovpn generating the root and host certificates
@@ -1074,6 +1076,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index c08f22a9d..c9e062f61 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -633,6 +633,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn error md5
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn log
@@ -1020,6 +1022,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.it b/doc/language_issues.it
index 57c07da7b..f769a2f4b 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -586,6 +586,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn hmac
 WARNING: translation string unused: ovpn log
@@ -1257,6 +1259,7 @@ WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index e3a3054e0..254617f79 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -587,6 +587,8 @@ WARNING: translation string unused: override mtu
 WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn log
 WARNING: translation string unused: ovpn mtu-disc
 WARNING: translation string unused: ovpn mtu-disc and mtu not 1500
@@ -1282,6 +1284,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 5ba5a05e5..2a1233aa0 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1437,8 +1437,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
-WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set
-WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-address or subnetmask
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index 773ca692c..cf54dacbc 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -512,6 +512,8 @@ WARNING: translation string unused: override mtu
 WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn log
 WARNING: translation string unused: ovpn on blue
 WARNING: translation string unused: ovpn on orange
@@ -1435,6 +1437,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index e9f598a03..7f409791c 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -616,6 +616,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn hmac
 WARNING: translation string unused: ovpn log
@@ -1173,6 +1175,7 @@ WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_missings b/doc/language_missings
index 3a25710a3..082f63afa 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -89,6 +89,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn fallback cipher
 < ovpn fallback cipher help
 < ovpn fqdn
@@ -175,6 +176,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn fallback cipher
 < ovpn fallback cipher help
 < ovpn fqdn
@@ -232,6 +234,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn fallback cipher
 < ovpn fallback cipher help
 < ovpn fqdn
@@ -632,6 +635,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -1213,6 +1217,7 @@
 < ovpn dhcp settings
 < ovpn dynamic client subnet
 < ovpn engines
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -2114,6 +2119,7 @@
 < ovpn engines
 < ovpn errmsg green already pushed
 < ovpn errmsg invalid ip or mask
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -3148,6 +3154,7 @@
 < ovpn dhcp settings
 < ovpn dynamic client subnet
 < ovpn engines
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -3686,6 +3693,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index f792aafb6..3be6b0305 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -893,9 +893,7 @@ sub writecollectdconf {
 
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
-    #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
-    #DAN this value has to leave.
-#new settings for daemon
+
     $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
@@ -909,7 +907,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
     $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
-    my @temp=();
 
 	# We must have at least one cipher selected
 	if ($cgiparams{'DATACIPHERS'} eq '') {
@@ -975,54 +972,37 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
 		goto ADV_ERROR;
     	}
     }
+
+	# Validate pushed routes
     if ($cgiparams{'ROUTES_PUSH'} ne ''){
-	@temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
-    	undef $vpnsettings{'ROUTES_PUSH'};
+		my @temp = split(/\n/, $cgiparams{'ROUTES_PUSH'});
 
-   	foreach my $tmpip (@temp)
-	{
-		s/^\s+//g; s/\s+$//g;
+		# Reset stored routes
+		$vpnsettings{'ROUTES_PUSH'} = "";
 
-		if ($tmpip)
-		{
-			$tmpip=~s/\s*$//g;
-			unless (&General::validipandmask($tmpip)) {
-				$errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'};
-				goto ADV_ERROR;
-			}
-			my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip));
+		foreach my $route (@temp) {
+			chomp($route);
 
-			if ($ip eq $Network::ethernet{'GREEN_NETADDRESS'} && $cidr eq $Network::ethernet{'GREEN_NETMASK'}) {
-				$errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
-				goto ADV_ERROR;
-			}
+			# Remove any excess whitespace
+			$route =~ s/^\s+//g;
+			$route =~ s/\s+$//g;
 
-			my %ccdroutehash=();
-			&General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
-			foreach my $key (keys %ccdroutehash) {
-				foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
-					if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){
-						$errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
-						goto ADV_ERROR;
-					}
-					my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]);
-					if (&General::IpInSubnet ($ip,$ip2,$cidr2)){
-						$errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
-						goto ADV_ERROR;
-					}
-				}
+			# Skip empty lines
+			next if ($route eq "");
+
+			unless (&Network::check_subnet($route)) {
+				$errormessage = "$Lang::tr{'ovpn errmsg invalid route'}: $route";
+				goto ADV_ERROR;
 			}
 
-			$vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
+			$vpnsettings{'ROUTES_PUSH'} .= $route . "\n";
 		}
-	}
-    &write_routepushfile;
-	undef $vpnsettings{'ROUTES_PUSH'};
-    }
-	else {
-	undef $vpnsettings{'ROUTES_PUSH'};
-	&write_routepushfile;
+
+	    &write_routepushfile();
+
+		undef $vpnsettings{'ROUTES_PUSH'};
     }
+
     if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
         $errormessage = $Lang::tr{'invalid input for max clients'};
         goto ADV_ERROR;
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index 229b9ddc1..aea6740d7 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2034,6 +2034,7 @@
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
+'ovpn errmsg invalid route' => 'Invalid route',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn fallback cipher' => 'Fallback Cipher',
 'ovpn fallback cipher help' => 'This cipher is being used by clients that do not support cipher negotiation.',