From: Adolf Belka <adolf.belka@ipfire.org>
Date: Thu, 25 Sep 2025 11:12:39 +0000 (+0200)
Subject: ovpnclients.dat: Fixes bug 13879
X-Git-Tag: v2.29-core198~41
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0400a1009439d0ffeddb1e449c8bd656341f5f44;p=ipfire-2.x.git

ovpnclients.dat: Fixes bug 13879

Fixes: bug 13879 - CONNECTION_NAME SQL Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
index 8fbf4f8fa..5e6baef3c 100644
--- a/html/cgi-bin/logs.cgi/ovpnclients.dat
+++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2020 IPFire Team  <info@ipfire.org>                           #
+# Copyright (C) 2020 - 2025 IPFire Team  <info@ipfire.org>                    #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -141,7 +141,7 @@ my $database_query = qq(
         ORDER BY common_name, duration DESC;
 );
 
-if ($cgiparams{'CONNECTION_NAME'}) {
+if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) {
 	$database_query = qq(
 		SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent,
 			STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions