From c973d6da105f1e83423ee8d66b25a934262b069d Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Tue, 28 Oct 2014 21:53:27 +0100
Subject: [PATCH] guardian.cgi: Some more input validation.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 html/cgi-bin/guardian.cgi | 41 ++++++++++++++++++++++++++++++---------
 langs/en/cgi-bin/en.pl    |  4 ++++
 2 files changed, 36 insertions(+), 9 deletions(-)

diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi
index 1ccb619ba7..745a4a68f0 100644
--- a/html/cgi-bin/guardian.cgi
+++ b/html/cgi-bin/guardian.cgi
@@ -176,17 +176,40 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
 #
 } elsif ($settings{'ACTION'} eq $Lang::tr{'block'}) {
 
-	# Check if no empty input has been performed.
-        if ($settings{'ADDRESS_BLOCK'} ne '') {
+	# Assign some temporary variables used for input validation.
+	my $input = $settings{'ADDRESS_BLOCK'};
+	my $green = $netsettings{'GREEN_ADDRESS'};
+	my $blue = $netsettings{'BLUE_ADDRESS'};
+	my $orange = $netsettings{'ORANGE_ADDRESS'};
+	my $red = $netsettings{'RED_ADDRESS'};
 
-                # Check if the given input is no valid IP-address or IP-address with subnet, display an error message.
-                if ((!&General::validip($settings{'ADDRESS_BLOCK'})) && (!&General::validipandmask($settings{'ADDRESS_BLOCK'}))) {
-                        $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
-                }
+	# Get gateway address.
+	my $gateway = &General::get_gateway();
 
-        } else {
-                $errormessage = "$Lang::tr{'guardian empty input'}";
-        }
+	# Check if any input has been performed.
+	if ($input eq '') {
+		$errormessage = "$Lang::tr{'guardian empty input'}";
+	}
+
+	# Check if the given input is localhost (127.0.0.1).
+	elsif ($input eq "127.0.0.1") {
+		$errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
+	}
+
+	# Check if the given input is anywhere (0.0.0.0).
+	elsif ($input eq "0.0.0.0") {
+		$errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
+	}
+
+	# Check if the given input is one of the interface addresses or our gateway.
+	elsif ($input eq "$green" || $input eq "$blue" || $input eq "$orange" || $input eq "$red" || $input eq "$gateway") {
+		$errormessage = "$Lang::tr{'guardian blocking of this address is not allowed'}";
+	}
+
+	# Check if the given input is a valid IP address.
+        elsif (!&General::validip($input)) {
+                        $errormessage = "$Lang::tr{'guardian invalid address or subnet'}";
+	}
 
         # Go further if there was no error.
         if ($errormessage eq '') {
diff --git a/langs/en/cgi-bin/en.pl b/langs/en/cgi-bin/en.pl
index cbdc4749b8..70f73fec19 100644
--- a/langs/en/cgi-bin/en.pl
+++ b/langs/en/cgi-bin/en.pl
@@ -1250,6 +1250,7 @@
 'guardian block a host' => 'Block host',
 'guardian blocked hosts' => 'Currently blocked hosts',
 'guardian blocktime' => 'Blocktime',
+'guardian blocking of this address is not allowed' => 'Blocking of the given address is not allowed.',
 'guardian configuration' => 'Guardian Configuration',
 'guardian daemon' => 'Daemon',
 'guardian enabled' => 'Enable guardian',
@@ -1263,6 +1264,9 @@
 'guardian priority level' => 'Prioritylevel',
 'guardian service' => 'Guardian Service',
 'guardian snort alertfile' => 'Alertfile from Snort',
+'guardian watch snort alertfile' => 'Monitor Snort alertfile',
+'guardian block ssh brute-force' => 'SSH Brute-force detection',
+'guardian block httpd brute-force' => 'HTTPD Brute-force detection',
 'guest ok' => 'allow guests to access',
 'gui settings' => 'GUI Settings',
 'gz with key' => 'Only an encrypted archive can be restored on this machine.',
-- 
2.39.2