From 1e14ff05e7112b8b41aafc930fe0988b827f0e1a Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Thu, 25 Sep 2025 17:02:18 +0200 Subject: [PATCH] fwhosts.cgi: Check country code before proceeding Signed-off-by: Michael Tremer --- config/cfgroot/general-functions.pl | 8 ++++++++ doc/language_issues.en | 1 + doc/language_issues.es | 1 + doc/language_issues.fr | 1 + doc/language_issues.it | 1 + doc/language_issues.nl | 1 + doc/language_issues.pl | 1 + doc/language_issues.ru | 1 + doc/language_issues.tr | 1 + doc/language_issues.tw | 1 + doc/language_issues.zh | 1 + doc/language_missings | 9 +++++++++ html/cgi-bin/fwhosts.cgi | 6 +++++- langs/de/cgi-bin/de.pl | 1 + langs/en/cgi-bin/en.pl | 1 + 15 files changed, 34 insertions(+), 1 deletion(-) diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index 33b5605e2..94d0e7440 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -864,6 +864,14 @@ sub validportrange # used to check a port range } } +# Checks for a valid country code +sub validcc($) { + my $cc = shift; + + # Must contain of exactly two uppercase characters, or must be A1, A2, or A3 + return ($cc =~ m/^([A-Z]{2}|A[123])$/); +} + sub IpInSubnet { my $addr = shift; my $network = shift; diff --git a/doc/language_issues.en b/doc/language_issues.en index 808556beb..4376ec232 100644 --- a/doc/language_issues.en +++ b/doc/language_issues.en @@ -942,6 +942,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host WARNING: untranslated string: fwhost hint = Note WARNING: untranslated string: fwhost icmptype = ICMP type: +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost ip_mac = IP/MAC address WARNING: untranslated string: fwhost ipsec net = IPsec networks: WARNING: untranslated string: fwhost menu = Firewall Groups diff --git a/doc/language_issues.es b/doc/language_issues.es index 6f005949a..aa40df21f 100644 --- a/doc/language_issues.es +++ b/doc/language_issues.es @@ -1028,6 +1028,7 @@ WARNING: untranslated string: error message = unknown string WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string WARNING: untranslated string: guardian block ssh brute-force = unknown string diff --git a/doc/language_issues.fr b/doc/language_issues.fr index 4439b300a..f4591ca74 100644 --- a/doc/language_issues.fr +++ b/doc/language_issues.fr @@ -1014,6 +1014,7 @@ WARNING: untranslated string: extrahd because it is outside the allowed mount pa WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost wg peers = WireGuard Peers WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string diff --git a/doc/language_issues.it b/doc/language_issues.it index d2e2439c0..f40373b1c 100644 --- a/doc/language_issues.it +++ b/doc/language_issues.it @@ -1116,6 +1116,7 @@ WARNING: untranslated string: fwhost cust location = Location Groups WARNING: untranslated string: fwhost cust locationgroup = Location Groups WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost newlocationgrp = Location Groups WARNING: untranslated string: fwhost wg peers = WireGuard Peers WARNING: untranslated string: generate ptr = Generate PTR diff --git a/doc/language_issues.nl b/doc/language_issues.nl index 0224acb3a..733904195 100644 --- a/doc/language_issues.nl +++ b/doc/language_issues.nl @@ -1123,6 +1123,7 @@ WARNING: untranslated string: fwhost cust location = Location Groups WARNING: untranslated string: fwhost cust locationgroup = Location Groups WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost newlocationgrp = Location Groups WARNING: untranslated string: fwhost wg peers = WireGuard Peers WARNING: untranslated string: generate ptr = Generate PTR diff --git a/doc/language_issues.pl b/doc/language_issues.pl index e598262e2..ea17e70f0 100644 --- a/doc/language_issues.pl +++ b/doc/language_issues.pl @@ -1223,6 +1223,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host WARNING: untranslated string: fwhost hint = Note WARNING: untranslated string: fwhost icmptype = ICMP type: +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost ip_mac = IP/MAC address WARNING: untranslated string: fwhost ipsec net = IPsec networks: WARNING: untranslated string: fwhost menu = Firewall Groups diff --git a/doc/language_issues.ru b/doc/language_issues.ru index 9bd9f2a61..9fc1cb383 100644 --- a/doc/language_issues.ru +++ b/doc/language_issues.ru @@ -1221,6 +1221,7 @@ WARNING: untranslated string: fwhost err srvexist = This service already exists WARNING: untranslated string: fwhost err sub32 = Please add a network, not a single host WARNING: untranslated string: fwhost hint = Note WARNING: untranslated string: fwhost icmptype = ICMP type: +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost ip_mac = IP/MAC address WARNING: untranslated string: fwhost ipsec net = IPsec networks: WARNING: untranslated string: fwhost menu = Firewall Groups diff --git a/doc/language_issues.tr b/doc/language_issues.tr index 6517beaa9..c306058d5 100644 --- a/doc/language_issues.tr +++ b/doc/language_issues.tr @@ -1063,6 +1063,7 @@ WARNING: untranslated string: fwdfw all subnets = All subnets WARNING: untranslated string: fwdfw syn flood protection = Enable SYN Flood Protection (TCP only) WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: fwhost wg peers = WireGuard Peers WARNING: untranslated string: generate ptr = Generate PTR WARNING: untranslated string: guardian block a host = unknown string diff --git a/doc/language_issues.tw b/doc/language_issues.tw index ac4544bca..384f8e376 100644 --- a/doc/language_issues.tw +++ b/doc/language_issues.tw @@ -1036,6 +1036,7 @@ WARNING: untranslated string: error message = unknown string WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: guaranteed bandwidth = Guaranteed bandwidth WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string diff --git a/doc/language_issues.zh b/doc/language_issues.zh index ac4544bca..384f8e376 100644 --- a/doc/language_issues.zh +++ b/doc/language_issues.zh @@ -1036,6 +1036,7 @@ WARNING: untranslated string: error message = unknown string WARNING: untranslated string: extrahd because it is outside the allowed mount path = unknown string WARNING: untranslated string: fwhost cust locationgrp = unknown string WARNING: untranslated string: fwhost err hostip = unknown string +WARNING: untranslated string: fwhost invalid country code = Invalid Country Code WARNING: untranslated string: guaranteed bandwidth = Guaranteed bandwidth WARNING: untranslated string: guardian block a host = unknown string WARNING: untranslated string: guardian block httpd brute-force = unknown string diff --git a/doc/language_missings b/doc/language_missings index d0cf1318e..9838c5016 100644 --- a/doc/language_missings +++ b/doc/language_missings @@ -156,6 +156,7 @@ < AES-256-GCM < CHACHA20-POLY1305 < dns servers +< fwhost invalid country code < ids all including informational < ids email alerts < ids email alert severity @@ -243,6 +244,7 @@ < endpoint port < extrahd because it it outside the allowed mount path < fwdfw syn flood protection +< fwhost invalid country code < fwhost wg peers < g.dtm < g.lite @@ -620,6 +622,7 @@ < fwhost cust location < fwhost cust locationgroup < fwhost cust locationlocation +< fwhost invalid country code < fwhost newlocationgrp < fwhost wg peers < fw red @@ -1305,6 +1308,7 @@ < fwhost cust location < fwhost cust locationgroup < fwhost cust locationlocation +< fwhost invalid country code < fwhost newlocationgrp < fwhost wg peers < fw red @@ -2254,6 +2258,7 @@ < fwhost hint < fwhost hosts < fwhost icmptype +< fwhost invalid country code < fwhost ipadr < fwhost ip_mac < fwhost ipsec host @@ -3407,6 +3412,7 @@ < fwhost hint < fwhost hosts < fwhost icmptype +< fwhost invalid country code < fwhost ipadr < fwhost ip_mac < fwhost ipsec host @@ -4195,6 +4201,7 @@ < foreshadow < fwdfw all subnets < fwdfw syn flood protection +< fwhost invalid country code < fwhost wg peers < fw red < generate ptr @@ -4574,6 +4581,7 @@ < Captive wrong type < CHACHA20-POLY1305 < dns servers +< fwhost invalid country code < guaranteed bandwidth < ids all including informational < ids email alerts @@ -4662,6 +4670,7 @@ < Captive wrong type < CHACHA20-POLY1305 < dns servers +< fwhost invalid country code < guaranteed bandwidth < ids all including informational < ids email alerts diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index a666969b0..dd0200a8e 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -703,6 +703,10 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp') # Check name if (!&validhostname($grp)){$errormessage.=$Lang::tr{'fwhost err name'};} + unless (&General::validcc($fwhostsettings{'COUNTRY_CODE'})) { + $errormessage = $Lang::tr{'fwhost invalid country code'}; + } + # Check for existing group name. if (!&checkgroup($grp) && $fwhostsettings{'update'} ne 'on'){ $errormessage = $Lang::tr{'fwhost err grpexist'}; @@ -714,7 +718,7 @@ if ($fwhostsettings{'ACTION'} eq 'savelocationgrp') } if ($fwhostsettings{'update'} eq 'on'){ - @target=&Header::escape($fwhostsettings{'COUNTRY_CODE'}); + @target = $fwhostsettings{'COUNTRY_CODE'}; $type='Location Group'; #check if host/net exists in grp diff --git a/langs/de/cgi-bin/de.pl b/langs/de/cgi-bin/de.pl index 8ef466cbc..efa0eaf69 100644 --- a/langs/de/cgi-bin/de.pl +++ b/langs/de/cgi-bin/de.pl @@ -1289,6 +1289,7 @@ 'fwhost hint' => 'Hinweis', 'fwhost hosts' => 'Firewall-Hosts', 'fwhost icmptype' => 'ICMP-Typ:', +'fwhost invalid country code' => 'Ungültiger Ländercode', 'fwhost ip_mac' => 'IP/MAC-Adresse', 'fwhost ipadr' => 'IP-Adresse:', 'fwhost ipsec host' => 'IPsec-Clients:', diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl index 7c8b24f6a..3aab75efd 100644 --- a/langs/en/cgi-bin/en.pl +++ b/langs/en/cgi-bin/en.pl @@ -1341,6 +1341,7 @@ 'fwhost hint' => 'Note', 'fwhost hosts' => 'Firewall Hosts', 'fwhost icmptype' => 'ICMP type:', +'fwhost invalid country code' => 'Invalid Country Code', 'fwhost ip_mac' => 'IP/MAC address', 'fwhost ipadr' => 'IP address:', 'fwhost ipsec host' => 'IPsec clients:', -- 2.47.3