diff mbox series

[03/16] ovpnclients.dat: Fixes bug 13879

Message ID 20250925111252.11893-3-adolf.belka@ipfire.org
State Staged
Commit 811a5dca77ecaf9fcd73ecb4460f2ac9b668d266
Headers
Series [01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 |

Commit Message

Adolf Belka 25 Sep 2025, 11:12 a.m. UTC 
Fixes: bug 13879 - CONNECTION_NAME SQL Injection
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/logs.cgi/ovpnclients.dat | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Bernhard Bitsch 25 Sep 2025, 12:56 p.m. UTC | #1 
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13879 - CONNECTION_NAME SQL Injection
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/logs.cgi/ovpnclients.dat | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
> index 8fbf4f8fa..5e6baef3c 100644
> --- a/html/cgi-bin/logs.cgi/ovpnclients.dat
> +++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
> @@ -2,7 +2,7 @@
>   ###############################################################################
>   #                                                                             #
>   # IPFire.org - A linux based firewall                                         #
> -# Copyright (C) 2020 IPFire Team  <info@ipfire.org>                           #
> +# Copyright (C) 2020 - 2025 IPFire Team  <info@ipfire.org>                    #
>   #                                                                             #
>   # This program is free software: you can redistribute it and/or modify        #
>   # it under the terms of the GNU General Public License as published by        #
> @@ -141,7 +141,7 @@ my $database_query = qq(
>           ORDER BY common_name, duration DESC;
>   );
>   
> -if ($cgiparams{'CONNECTION_NAME'}) {
> +if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) {
>   	$database_query = qq(
>   		SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent,
>   			STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions
diff mbox series

Patch

diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
index 8fbf4f8fa..5e6baef3c 100644
--- a/html/cgi-bin/logs.cgi/ovpnclients.dat
+++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
@@ -2,7 +2,7 @@ 
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2020 IPFire Team  <info@ipfire.org>                           #
+# Copyright (C) 2020 - 2025 IPFire Team  <info@ipfire.org>                    #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -141,7 +141,7 @@  my $database_query = qq(
         ORDER BY common_name, duration DESC;
 );
 
-if ($cgiparams{'CONNECTION_NAME'}) {
+if (($cgiparams{'CONNECTION_NAME'}) && ($cgiparams{'CONNECTION_NAME'} =~ /^[a-zA-Z0-9]+$/)) {
 	$database_query = qq(
 		SELECT common_name, DATETIME(connected_at, 'localtime'), DATETIME(disconnected_at, 'localtime'), bytes_received, bytes_sent,
 			STRFTIME('%s', DATETIME(disconnected_at)) - STRFTIME('%s', DATETIME(connected_at)) AS duration FROM sessions