diff mbox series

[06/16] firewalllogcountry.dat: Fixes bug 13882

Message ID	20250925111252.11893-6-adolf.belka@ipfire.org
State	Staged
Commit	63d971bf688ad70fc82e54aea7a31aa508cf4c28
Headers	From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Cc: Adolf Belka <adolf.belka@ipfire.org> Subject: [PATCH 06/16] firewalllogcountry.dat: Fixes bug 13882 Date: Thu, 25 Sep 2025 13:12:42 +0200 Message-ID: <20250925111252.11893-6-adolf.belka@ipfire.org> In-Reply-To: <20250925111252.11893-1-adolf.belka@ipfire.org> References: <20250925111252.11893-1-adolf.belka@ipfire.org> Precedence: list Sender: <development@lists.ipfire.org> Mail-Followup-To: <development@lists.ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 \| [01/16] fwhosts.cgi Fix for bug 13876 & bug 13877 [02/16] ids.cgi: Fixes bug 13878 [03/16] ovpnclients.dat: Fixes bug 13879 [04/16] header.pl: Fixes bug 13880 [05/16] firewalllogip.dat: Fixes bug 13881 [06/16] firewalllogcountry.dat: Fixes bug 13882 [07/16] time.cgi: Fixes bug 13883 [08/16] ddns.cgi: Fixes bug 13884 [09/16] qos.cgi: Fixes bug 13885 [10/16] calamaris.dat: Fixes bug 13886 [11/16] urlfilter.cgi: Fixes bugs 13887, 13888 & 13889 [12/16] config.dat: Fixes bug 13890 [13/16] mail.cgi: Fixes bug 13891 [14/16] dns.cgi: Fixes bug 13892 [15/16] proxy.cgi: Fixes bug 13893 [16/16] proxy.cgi: Further fix for bug 13893

Commit Message

Adolf Belka 25 Sep 2025, 11:12 a.m. UTC

Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
 html/cgi-bin/logs.cgi/firewalllogcountry.dat | 31 +++++++++++++-------
 1 file changed, 20 insertions(+), 11 deletions(-)

Comments

Bernhard Bitsch 25 Sep 2025, 1:40 p.m. UTC | #1

Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>

Am 25.09.2025 um 13:12 schrieb Adolf Belka:
> Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting
> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
> ---
>   html/cgi-bin/logs.cgi/firewalllogcountry.dat | 31 +++++++++++++-------
>   1 file changed, 20 insertions(+), 11 deletions(-)
> 
> diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
> index 4e998a567..b7fded9e3 100644
> --- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat
> +++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
> @@ -1,14 +1,23 @@
>   #!/usr/bin/perl
> -#
> -# SmoothWall CGIs
> -#
> -# This code is distributed under the terms of the GPL
> -#
> -# JC HERITIER
> -# page inspired from the initial firewalllog.dat
> -#
> -# Modified for IPFire by Christian Schmidt
> -#			    and Michael Tremer (www.ipfire.org)
> +###############################################################################
> +#                                                                             #
> +# IPFire.org - A linux based firewall                                         #
> +# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
> +#                                                                             #
> +# This program is free software: you can redistribute it and/or modify        #
> +# it under the terms of the GNU General Public License as published by        #
> +# the Free Software Foundation, either version 3 of the License, or           #
> +# (at your option) any later version.                                         #
> +#                                                                             #
> +# This program is distributed in the hope that it will be useful,             #
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
> +# GNU General Public License for more details.                                #
> +#                                                                             #
> +# You should have received a copy of the GNU General Public License           #
> +# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
> +#                                                                             #
> +###############################################################################
>   
>   use strict;
>   use Getopt::Std;
> @@ -61,7 +70,7 @@ if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
>   if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
>   
>   &Header::getcgihash(\%cgiparams);
> -if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
> +if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
>   if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
>   if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
>   if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };

diff mbox series

Patch

diff --git a/html/cgi-bin/logs.cgi/firewalllogcountry.dat b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
index 4e998a567..b7fded9e3 100644
--- a/html/cgi-bin/logs.cgi/firewalllogcountry.dat
+++ b/html/cgi-bin/logs.cgi/firewalllogcountry.dat
@@ -1,14 +1,23 @@ 
 #!/usr/bin/perl
-#
-# SmoothWall CGIs
-#
-# This code is distributed under the terms of the GPL
-#
-# JC HERITIER
-# page inspired from the initial firewalllog.dat
-#
-# Modified for IPFire by Christian Schmidt
-#			    and Michael Tremer (www.ipfire.org)
+###############################################################################
+#                                                                             #
+# IPFire.org - A linux based firewall                                         #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
+#                                                                             #
+# This program is free software: you can redistribute it and/or modify        #
+# it under the terms of the GNU General Public License as published by        #
+# the Free Software Foundation, either version 3 of the License, or           #
+# (at your option) any later version.                                         #
+#                                                                             #
+# This program is distributed in the hope that it will be useful,             #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
+# GNU General Public License for more details.                                #
+#                                                                             #
+# You should have received a copy of the GNU General Public License           #
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
+#                                                                             #
+###############################################################################
 
 use strict;
 use Getopt::Std;
@@ -61,7 +70,7 @@  if ($settings{'showpie'} != 0) { $cgiparams{'showpie'} = $settings{'showpie'} };
 if ($settings{'sortcolumn'} != 0) { $cgiparams{'sortcolumn'} = $settings{'sortcolumn'} };
 
 &Header::getcgihash(\%cgiparams);
-if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = $cgiparams{'pienumber'} };
+if ($cgiparams{'pienumber'} != 0) { $settings{'pienumber'} = &Header::escape($cgiparams{'pienumber'}) };
 if ($cgiparams{'otherspie'} != 0) { $settings{'otherspie'} = $cgiparams{'otherspie'} };
 if ($cgiparams{'showpie'} != 0) { $settings{'showpie'} = $cgiparams{'showpie'} };
 if ($cgiparams{'sortcolumn'} != 0) { $settings{'sortcolumn'} = $cgiparams{'sortcolumn'} };