From 74aa0407403c7ac59f45667291f35ac291f89b23 Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 10 Apr 2024 12:34:45 +0200
Subject: [PATCH] ovpnmain.cgi: Fix checking custom routes

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 doc/language_issues.de    |  3 ++
 doc/language_issues.en    |  3 +-
 doc/language_issues.es    |  3 ++
 doc/language_issues.fr    |  3 ++
 doc/language_issues.it    |  3 ++
 doc/language_issues.nl    |  3 ++
 doc/language_issues.pl    |  3 +-
 doc/language_issues.ru    |  3 ++
 doc/language_issues.tr    |  3 ++
 doc/language_missings     |  8 +++++
 html/cgi-bin/ovpnmain.cgi | 66 ++++++++++++++-------------------------
 langs/en/cgi-bin/en.pl    |  1 +
 12 files changed, 55 insertions(+), 47 deletions(-)

diff --git a/doc/language_issues.de b/doc/language_issues.de
index 665626792..2defaac95 100644
--- a/doc/language_issues.de
+++ b/doc/language_issues.de
@@ -615,6 +615,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn error md5
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn log
@@ -1037,6 +1039,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.en b/doc/language_issues.en
index cd59942a3..6febb11aa 100644
--- a/doc/language_issues.en
+++ b/doc/language_issues.en
@@ -1422,8 +1422,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
-WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set
-WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-address or subnetmask
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.es b/doc/language_issues.es
index adba79228..006ba8bcf 100644
--- a/doc/language_issues.es
+++ b/doc/language_issues.es
@@ -669,6 +669,8 @@ WARNING: translation string unused: ovpn dh parameters
 WARNING: translation string unused: ovpn dh upload
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn error dh
 WARNING: translation string unused: ovpn error md5
 WARNING: translation string unused: ovpn generating the root and host certificates
@@ -1100,6 +1102,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.fr b/doc/language_issues.fr
index ea3825a62..36e4eeadc 100644
--- a/doc/language_issues.fr
+++ b/doc/language_issues.fr
@@ -645,6 +645,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn error md5
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn log
@@ -1048,6 +1050,7 @@ WARNING: untranslated string: ovpn ciphers = Ciphers
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.it b/doc/language_issues.it
index dd02424f6..defbc0422 100644
--- a/doc/language_issues.it
+++ b/doc/language_issues.it
@@ -596,6 +596,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn hmac
 WARNING: translation string unused: ovpn log
@@ -1281,6 +1283,7 @@ WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.nl b/doc/language_issues.nl
index 2443fc801..ed1d88b08 100644
--- a/doc/language_issues.nl
+++ b/doc/language_issues.nl
@@ -597,6 +597,8 @@ WARNING: translation string unused: override mtu
 WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn log
 WARNING: translation string unused: ovpn mtu-disc
 WARNING: translation string unused: ovpn mtu-disc and mtu not 1500
@@ -1306,6 +1308,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.pl b/doc/language_issues.pl
index 330293701..2363d7fc8 100644
--- a/doc/language_issues.pl
+++ b/doc/language_issues.pl
@@ -1461,8 +1461,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
-WARNING: untranslated string: ovpn errmsg green already pushed = Route for green network is always set
-WARNING: untranslated string: ovpn errmsg invalid ip or mask = Invalid network-address or subnetmask
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.ru b/doc/language_issues.ru
index dfa56ba1c..ebcef479b 100644
--- a/doc/language_issues.ru
+++ b/doc/language_issues.ru
@@ -522,6 +522,8 @@ WARNING: translation string unused: override mtu
 WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn log
 WARNING: translation string unused: ovpn on blue
 WARNING: translation string unused: ovpn on orange
@@ -1459,6 +1461,7 @@ WARNING: untranslated string: ovpn crypt options = unknown string
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_issues.tr b/doc/language_issues.tr
index 3dc5d722f..37798b355 100644
--- a/doc/language_issues.tr
+++ b/doc/language_issues.tr
@@ -626,6 +626,8 @@ WARNING: translation string unused: ovpn config
 WARNING: translation string unused: ovpn device
 WARNING: translation string unused: ovpn dl
 WARNING: translation string unused: ovpn engines
+WARNING: translation string unused: ovpn errmsg green already pushed
+WARNING: translation string unused: ovpn errmsg invalid ip or mask
 WARNING: translation string unused: ovpn generating the root and host certificates
 WARNING: translation string unused: ovpn hmac
 WARNING: translation string unused: ovpn log
@@ -1197,6 +1199,7 @@ WARNING: untranslated string: ovpn connection name = Connection Name
 WARNING: untranslated string: ovpn crypto settings = Cryptographic Settings
 WARNING: untranslated string: ovpn dhcp settings = DHCP Settings
 WARNING: untranslated string: ovpn dynamic client subnet = Dynamic Client Subnet
+WARNING: untranslated string: ovpn errmsg invalid route = Invalid route
 WARNING: untranslated string: ovpn fallback cipher = Fallback Cipher
 WARNING: untranslated string: ovpn fallback cipher help = This cipher is being used by clients that do not support cipher negotiation.
 WARNING: untranslated string: ovpn fqdn = FQDN
diff --git a/doc/language_missings b/doc/language_missings
index d21f83beb..43fd82bb8 100644
--- a/doc/language_missings
+++ b/doc/language_missings
@@ -89,6 +89,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn fallback cipher
 < ovpn fallback cipher help
 < ovpn fqdn
@@ -180,6 +181,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn fallback cipher
 < ovpn fallback cipher help
 < ovpn fqdn
@@ -245,6 +247,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn fallback cipher
 < ovpn fallback cipher help
 < ovpn fqdn
@@ -653,6 +656,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -1242,6 +1246,7 @@
 < ovpn dhcp settings
 < ovpn dynamic client subnet
 < ovpn engines
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -2151,6 +2156,7 @@
 < ovpn engines
 < ovpn errmsg green already pushed
 < ovpn errmsg invalid ip or mask
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -3193,6 +3199,7 @@
 < ovpn dhcp settings
 < ovpn dynamic client subnet
 < ovpn engines
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
@@ -3739,6 +3746,7 @@
 < ovpn crypto settings
 < ovpn dhcp settings
 < ovpn dynamic client subnet
+< ovpn errmsg invalid route
 < ovpn error md5
 < ovpn fallback cipher
 < ovpn fallback cipher help
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index f792aafb6..3be6b0305 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -893,9 +893,7 @@ sub writecollectdconf {
 
 if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings);
-    #DAN do we really need (to to check) this value? Besides if we listen on blue and orange too,
-    #DAN this value has to leave.
-#new settings for daemon
+
     $vpnsettings{'DPROTOCOL'} = $cgiparams{'DPROTOCOL'};
     $vpnsettings{'DDEST_PORT'} = $cgiparams{'DDEST_PORT'};
     $vpnsettings{'DMTU'} = $cgiparams{'DMTU'};
@@ -909,7 +907,6 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
     $vpnsettings{'DCIPHER'} = $cgiparams{'DCIPHER'};
     $vpnsettings{'DAUTH'} = $cgiparams{'DAUTH'};
     $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'};
-    my @temp=();
 
 	# We must have at least one cipher selected
 	if ($cgiparams{'DATACIPHERS'} eq '') {
@@ -975,54 +972,37 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save-adv-options'}) {
 		goto ADV_ERROR;
     	}
     }
+
+	# Validate pushed routes
     if ($cgiparams{'ROUTES_PUSH'} ne ''){
-	@temp = split(/\n/,$cgiparams{'ROUTES_PUSH'});
-    	undef $vpnsettings{'ROUTES_PUSH'};
+		my @temp = split(/\n/, $cgiparams{'ROUTES_PUSH'});
 
-   	foreach my $tmpip (@temp)
-	{
-		s/^\s+//g; s/\s+$//g;
+		# Reset stored routes
+		$vpnsettings{'ROUTES_PUSH'} = "";
 
-		if ($tmpip)
-		{
-			$tmpip=~s/\s*$//g;
-			unless (&General::validipandmask($tmpip)) {
-				$errormessage = "$tmpip ".$Lang::tr{'ovpn errmsg invalid ip or mask'};
-				goto ADV_ERROR;
-			}
-			my ($ip, $cidr) = split("\/",&General::ipcidr2msk($tmpip));
+		foreach my $route (@temp) {
+			chomp($route);
 
-			if ($ip eq $Network::ethernet{'GREEN_NETADDRESS'} && $cidr eq $Network::ethernet{'GREEN_NETMASK'}) {
-				$errormessage = $Lang::tr{'ovpn errmsg green already pushed'};
-				goto ADV_ERROR;
-			}
+			# Remove any excess whitespace
+			$route =~ s/^\s+//g;
+			$route =~ s/\s+$//g;
 
-			my %ccdroutehash=();
-			&General::readhasharray("${General::swroot}/ovpn/ccdroute", \%ccdroutehash);
-			foreach my $key (keys %ccdroutehash) {
-				foreach my $i (1 .. $#{$ccdroutehash{$key}}) {
-					if ( $ip."/".$cidr eq $ccdroutehash{$key}[$i] ){
-						$errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
-						goto ADV_ERROR;
-					}
-					my ($ip2,$cidr2) = split(/\//,$ccdroutehash{$key}[$i]);
-					if (&General::IpInSubnet ($ip,$ip2,$cidr2)){
-						$errormessage="Route $ip\/$cidr ".$Lang::tr{'ccd err inuse'}." $ccdroutehash{$key}[0]" ;
-						goto ADV_ERROR;
-					}
-				}
+			# Skip empty lines
+			next if ($route eq "");
+
+			unless (&Network::check_subnet($route)) {
+				$errormessage = "$Lang::tr{'ovpn errmsg invalid route'}: $route";
+				goto ADV_ERROR;
 			}
 
-			$vpnsettings{'ROUTES_PUSH'} .= $tmpip."\n";
+			$vpnsettings{'ROUTES_PUSH'} .= $route . "\n";
 		}
-	}
-    &write_routepushfile;
-	undef $vpnsettings{'ROUTES_PUSH'};
-    }
-	else {
-	undef $vpnsettings{'ROUTES_PUSH'};
-	&write_routepushfile;
+
+	    &write_routepushfile();
+
+		undef $vpnsettings{'ROUTES_PUSH'};
     }
+
     if ((length($cgiparams{'MAX_CLIENTS'}) == 0) || (($cgiparams{'MAX_CLIENTS'}) < 1 ) || (($cgiparams{'MAX_CLIENTS'}) > 1024 )) {
         $errormessage = $Lang::tr{'invalid input for max clients'};
         goto ADV_ERROR;
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index aef5cfcdf..1b73da739 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -2031,6 +2031,7 @@
 'ovpn engines' => 'Crypto engine',
 'ovpn errmsg green already pushed' => 'Route for green network is always set',
 'ovpn errmsg invalid ip or mask' => 'Invalid network-address or subnetmask',
+'ovpn errmsg invalid route' => 'Invalid route',
 'ovpn error md5' => 'You host certificate uses MD5 for the signature which is not accepted anymore. <br>Please update to the latest IPFire version and generate a new root and host certificate.</br><br>All OpenVPN clients needs then to be renewed!</br>',
 'ovpn fallback cipher' => 'Fallback Cipher',
 'ovpn fallback cipher help' => 'This cipher is being used by clients that do not support cipher negotiation.',
-- 
2.39.5