guardian.cgi: Some more input validation.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>

diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi
index 1ccb619ba773b51936cdcdc3ac0702b57ee680fc..745a4a68f014c65df529e3472f8a504c0661bd18 100644 (file)
--- a/html/cgi-bin/guardian.cgi
+++ b/html/cgi-bin/guardian.cgi
@@ -176,17 +176,40 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
 #
 } elsif ($settings{'ACTION'} eq $Lang::tr{'block'}) {
 
-       # Check if no empty input has been performed.
-        if ($settings{'ADDRESS_BLOCK'} ne '') {
+       # Assign some temporary variables used for input validation.
+       my $input = $settings{'ADDRESS_BLOCK'};
+       my $green = $netsettings{'GREEN_ADDRESS'};
+       my $blue = $netsettings{'BLUE_ADDRESS'};
+       my $orange = $netsettings{'ORANGE_ADDRESS'};
+       my $red = $netsettings{'RED_ADDRESS'};
 
-                # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
-                if ((!&General::validip($settings{'ADDRESS_BLOCK'})) && (!&General::validipandmask($settings{'ADDRESS_BLOCK'}))) {
-                        $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
-                }
+       # Get gateway address.
+       my $gateway = &General::get_gateway();
 
-        } else {
-                $errormessage = "$Lang::tr{'guardian empty input'}";
-        }
+       # Check if any input has been performed.
+       if ($input eq '') {
+               $errormessage = "$Lang::tr{'guardian empty input'}";
+       }
+
+       # Check if the given input is localhost (127.0.0.1).
+       elsif ($input eq "127.0.0.1") {
+               $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
+       }
+
+       # Check if the given input is anywhere (0.0.0.0).
+       elsif ($input eq "0.0.0.0") {
+               $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
+       }
+
+       # Check if the given input is one of the interface addresses or our gateway.
+       elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway") {
+               $errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
+       }
+
+       # Check if the given input is a valid IP address.
+        elsif (!&General::validip($input)) {
+                        $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
+       }
 
         # Go further if there was no error.
         if ($errormessage eq '') {

diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index cbdc4749b8d95f45126dd0fe0863b5e347a429d5..70f73fec19da213fa4805362355746498d6a8b24 100644 (file)
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1250,6 +1250,7 @@
 'guardian block a host' => 'Block host',
 'guardian blocked hosts' => 'Currently blocked hosts',
 'guardian blocktime' => 'Blocktime',
+'guardian blocking of this address is not allowed' => 'Blocking of the given address is not allowed.',
 'guardian configuration' => 'Guardian Configuration',
 'guardian daemon' => 'Daemon',
 'guardian enabled' => 'Enable guardian',
@@ -1263,6 +1264,9 @@
 'guardian priority level' => 'Prioritylevel',
 'guardian service' => 'Guardian Service',
 'guardian snort alertfile' => 'Alertfile from Snort',
+'guardian watch snort alertfile' => 'Monitor Snort alertfile',
+'guardian block ssh brute-force' => 'SSH Brute-force detection',
+'guardian block httpd brute-force' => 'HTTPD Brute-force detection',
 'guest ok' => 'allow guests to access',
 'gui settings' => 'GUI Settings',
 'gz with key' => 'Only an encrypted archive can be restored on this machine.',