From patchwork Thu Oct 2 11:10:15 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 9150 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ccpxC4VmVz3wkn for ; Thu, 02 Oct 2025 11:10:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [IPv6:2001:678:b28::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519) (Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ccpxB6ZcXz3Mb for ; Thu, 02 Oct 2025 11:10:22 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [IPv6:::1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ccpxB5rMsz2yHd for ; Thu, 02 Oct 2025 11:10:22 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R13" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ccpx81SZFz2yq4 for ; Thu, 02 Oct 2025 11:10:20 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ccpx72y29z3Mb; Thu, 02 Oct 2025 11:10:19 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1759403419; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YbITLm4/gPR2tqG0zGdMjsHQmTvzWjAhUdWiM/AQRUw=; b=9dF8rcP4WGJVUJpFKLXLinaIcDVnK/KM+qsviy0rYLK1X82OsnZOWcKBTJhUmqNWsw0H94 BCCL8HM/fnZaLwAQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1759403419; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YbITLm4/gPR2tqG0zGdMjsHQmTvzWjAhUdWiM/AQRUw=; b=LNcScOtGwI7etAMdGEzfbPTocAcaDDihTA2rdoRIYNjx3P8aj8eHtMlFYNcCi6uW8vPpJ9 OG7RaF4H15foyvQUeV9xoyRf25fbh212E9QemOpTeAHzJnnCTTeP98FEbxlr69vOmpKGHj RVH/lJ6/r/K/8aV/vGdB30ELLsbGDzhWwpTNAkvScJ8iNCJf5MJo7ZT0AyEdxvLz+nxwI9 x8KXl1xmzRT62M9CY5hnR31/8pqiAlYAXs5/z9AUp0E0s5N5mvk6QSYbuuYfXFqEVOMOdR hVu6ArKtwzNwmcgX86mPmXTpx8ijdj1zwwOtMGN8e9Kx9oDgNSeTYZqluUuE5A== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 2/2] firewall.cgi: Fixes XSS potential Date: Thu, 2 Oct 2025 13:10:15 +0200 Message-ID: <20251002111015.13264-2-adolf.belka@ipfire.org> In-Reply-To: <20251002111015.13264-1-adolf.belka@ipfire.org> References: <20251002111015.13264-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - Related to CVE-2025-50975 - Fixes PROT - ruleremark was already escaped when firewall.cgi was initially merged back in Core Update 77. - SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as ports or port ranges. - std_net_tgt is a string defined in the code and not a variable - The variable key ignores any input that is not a digit and subsequently uses the next free rulenumber digit Signed-off-by: Adolf Belka --- html/cgi-bin/firewall.cgi | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 5f1eac09e..20e6a95e4 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2013 Alexander Marx # +# Copyright (C) 2013-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -2351,6 +2351,7 @@ sub saverule $fwdfwsettings{'ruleremark'}=~ s/,/;/g; utf8::decode($fwdfwsettings{'ruleremark'}); $fwdfwsettings{'ruleremark'}=&Header::escape($fwdfwsettings{'ruleremark'}); + $fwdfwsettings{'PROT'}=&Header::escape($fwdfwsettings{'PROT'}); if ($fwdfwsettings{'updatefwrule'} ne 'on'){ my $key = &General::findhasharraykey ($hash); $$hash{$key}[0] = $fwdfwsettings{'RULE_ACTION'};