webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-10 11:05:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'next' of git.ipfire.org:/pub/git/ipfire-2.x into next

Browse Source
This commit is contained in:
Arne Fitzenreiter
2018-11-02 15:16:22 +00:00
parent 5edc6b10e0 898b355abd
commit 1e2e78e6ff
27 changed files with 853 additions and 284 deletions
Download Patch File Download Diff File Expand all files Collapse all files

335
config/backup/backup.pl
View File

@@ -1,4 +1,4 @@
#!/usr/bin/perl
#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
@@ -19,148 +19,203 @@
# #
###############################################################################
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
use File::Path;
my $debug = 1;
my @include = "";
my ($Sekunden, $Minuten, $Stunden, $Monatstag, $Monat, $Jahr, $Wochentag, $Jahrestag, $Sommerzeit) = localtime(time);
$Jahr = $Jahr + 1900;$Monat = $Monat + 1;
$Monat = sprintf("%02d", $Monat);
$Monatstag = sprintf("%02d", $Monatstag);
$Stunden = sprintf("%02d", $Stunden);
$Minuten = sprintf("%02d", $Minuten);
NOW="$(date "+%Y-%m-%d-%H:%M")"
if (($ARGV[0] eq 'include') || ($ARGV[0] eq 'iso')) {
&createinclude;
my @files = `find / -name *.log* 2>/dev/null`;
foreach (@files){
push(@include,$_);
}
my @files = `find /var/log/ -name *messages* 2>/dev/null`;
foreach (@files){
push(@include,$_);
}
open(DATEI, ">/tmp/include") || die "Could not save temp include file";
print DATEI @include;
print "/var/log/messages";
close(DATEI);
system("tar -cvzf /var/ipfire/backup/$Jahr$Monat$Monatstag-$Stunden$Minuten.ipf --exclude-from='/var/ipfire/backup/exclude' --exclude-from='/var/ipfire/backup/exclude.user' --files-from='/tmp/include' --files-from='/var/ipfire/backup/include.user'");
system("rm /tmp/include");
if ($ARGV[0] eq 'iso') {
system("/usr/local/bin/backupiso $Jahr$Monat$Monatstag-$Stunden$Minuten &");
}
}
elsif ($ARGV[0] eq 'exclude') {
&createinclude;
open(DATEI, ">/tmp/include") || die "Could not save temp include file";
print DATEI @include;
close(DATEI);
system("tar -cvzf /var/ipfire/backup/$Jahr$Monat$Monatstag-$Stunden$Minuten.ipf --exclude-from='/var/ipfire/backup/exclude' --exclude-from='/var/ipfire/backup/exclude.user' --files-from='/tmp/include' --files-from='/var/ipfire/backup/include.user'");
system("rm /tmp/include");
}
elsif ($ARGV[0] eq 'restore') {
system("cd / && tar -xvz -p -f /tmp/restore.ipf");
#Here some converter scripts to correct old Backups (before core 65)
system("/usr/sbin/ovpn-ccd-convert");
#OUTGOINGFW CONVERTER
if( -d "${General::swroot}/outgoing"){
if( -f "${General::swroot}/firewall/config" ){
unlink("${General::swroot}/firewall/config");
system("touch ${General::swroot}/firewall/config");
chown 99,99,"${General::swroot}/firewall/config";
}
if( -f "${General::swroot}/firewall/outgoing" ){
unlink("${General::swroot}/firewall/outgoing");
system("touch ${General::swroot}/firewall/outgoing");
chown 99,99,"${General::swroot}/firewall/outgoing";
}
unlink("${General::swroot}/fwhosts/customgroups");
unlink("${General::swroot}/fwhosts/customhosts");
unlink("${General::swroot}/fwhosts/customgroups");
unlink("${General::swroot}/fwhosts/customnetworks");
unlink("${General::swroot}/fwhosts/customservicegrp");
unlink("${General::swroot}/fwhosts/customnetworks");
system("touch ${General::swroot}/fwhosts/customgroups");
system("touch ${General::swroot}/fwhosts/customhosts");
system("touch ${General::swroot}/fwhosts/customnetworks");
system("touch ${General::swroot}/fwhosts/customservicegrp");
#START CONVERTER "OUTGOINGFW"
system("/usr/sbin/convert-outgoingfw");
chown 99,99,"${General::swroot}/fwhosts/customgroups";
chown 99,99,"${General::swroot}/fwhosts/customhosts";
chown 99,99,"${General::swroot}/fwhosts/customnetworks";
chown 99,99,"${General::swroot}/fwhosts/customservicegrp";
#START CONVERTER "OUTGOINGFW"
rmtree("${General::swroot}/outgoing");
}
#XTACCESS CONVERTER
if( -d "${General::swroot}/xtaccess"){
if( -f "${General::swroot}/firewall/input" ){
unlink("${General::swroot}/firewall/input");
system("touch ${General::swroot}/firewall/input");
}
#START CONVERTER "XTACCESS"
system("/usr/sbin/convert-xtaccess");
chown 99,99,"${General::swroot}/firewall/input";
rmtree("${General::swroot}/xtaccess");
}
#DMZ-HOLES CONVERTER
if( -d "${General::swroot}/dmzholes" || -d "${General::swroot}/portfw"){
if( -f "${General::swroot}/firewall/config" ){
unlink("${General::swroot}/firewall/config");
system("touch ${General::swroot}/firewall/config");
}
#START CONVERTER "DMZ-HOLES"
system("/usr/sbin/convert-dmz");
chown 99,99,"${General::swroot}/firewall/config";
rmtree("${General::swroot}/dmzholes");
}
#PORTFORWARD CONVERTER
if( -d "${General::swroot}/portfw"){
#START CONVERTER "PORTFW"
system("/usr/sbin/convert-portfw");
rmtree("${General::swroot}/portfw");
}
system("/usr/local/bin/firewallctrl");
list_addons() {
local file
for file in /var/ipfire/backup/addons/includes/*; do
if [ -f "${file}" ]; then
basename "${file}"
fi
done
# Convert old OpenVPN CCD files (CN change, core 75).
system("/usr/local/bin/convert-ovpn");
}
elsif ($ARGV[0] eq 'restoreaddon') {
if ( -e "/tmp/$ARGV[1]" ){system("mv /tmp/$ARGV[1] /var/ipfire/backup/addons/backup/$ARGV[1]");}
system("cd / && tar -xvz -p -f /var/ipfire/backup/addons/backup/$ARGV[1]");
}
elsif ($ARGV[0] eq 'cli') {
system("tar -cvzf /var/ipfire/backup/$Jahr$Monat$Monatstag-$Stunden$Minuten-$ARGV[1].ipf --files-from='$ARGV[2]' --exclude-from='$ARGV[3]'");
}
elsif ($ARGV[0] eq 'addonbackup') {
system("tar -cvzf /var/ipfire/backup/addons/backup/$ARGV[1].ipf --files-from='/var/ipfire/backup/addons/includes/$ARGV[1]'");
}
elsif ($ARGV[0] =~ /\.(iso|ipf)$/ ) {
unlink("$ARGV[0]");
}
elsif ($ARGV[0] eq '') {
printf "No argument given, please use <include><exclude><cli>\n"
}
elsif ($ARGV[0] eq 'makedirs') {
system("mkdir -p /var/ipfire/backup/addons");
system("mkdir -p /var/ipfire/backup/addons/backup");
system("mkdir -p /var/ipfire/backup/addons/includes");
return 0
}
sub createinclude(){
process_includes() {
local include
open(DATEI, "<${General::swroot}/backup/include") || die "Can not open include file";
my @Zeilen = <DATEI>;
close(DATEI);
foreach (@Zeilen){
chomp($_);
my @files = `find $_ -maxdepth 0 2>/dev/null`;
foreach (@files){
push(@include,$_);
}
}
for include in $@; do
local file
while read -r file; do
for file in ${file}; do
if [ -e "${file}" ]; then
echo "${file}"
fi
done
done < "${include}"
done | sort -u
}
make_backup() {
local filename="${1}"
shift
# Backup all addons first
local addon
for addon in $(list_addons); do
make_addon_backup "${addon}"
done
tar cvzf "${filename}" \
--exclude-from="/var/ipfire/backup/exclude" \
--exclude-from="/var/ipfire/backup/exclude.user" \
$(process_includes "/var/ipfire/backup/include" "/var/ipfire/backup/include.user") \
"$@"
return 0
}
restore_backup() {
local filename="${1}"
tar xvzpf "${filename}" -C /
# Run converters
# Outgoing Firewall
if [ -d "/var/ipfire/outgoing" ]; then
# Reset files
local file
for file in /var/ipfire/firewall/{config,outgoing} \
/var/ipfire/fwhosts/custom{hosts,groups,networks}; do
: > "${file}"
chown nobody:nobody "${file}"
done
# Run converter
convert-outgoingfw
# Remove old configuration
rm -rf "/var/ipfire/outgoing"
fi
# External Access
if [ -d "/var/ipfire/xtaccess" ]; then
: > /var/ipfire/firewall/config
chown nobody:nobody "/var/ipfire/firewall/config"
# Run converter
convert-xtaccess
# Remove old configuration
rm -rf "/var/ipfire/xtaccess"
fi
# DMZ Holes
if [ -d "/var/ipfire/dmzholes" ] || [ -d "/var/ipfire/portfw" ]; then
: > /var/ipfire/firewall/config
chown nobody:nobody "/var/ipfire/firewall/config"
# Run converter
convert-dmz
# Remove old configuration
rm -rf "/var/ipfire/dmzholes"
fi
# Port Forwardings
if [ -d "/var/ipfire/portfw" ]; then
# Run converter
convert-portfw
# Remove old configuration
rm -rf "/var/ipfire/portfw"
fi
# Reload firewall
firewallctrl
# Convert old OpenVPN CCD files (CN change, Core Update 75)
convert-ovpn
return 0
}
find_logfiles() {
local filelist=( /var/log/messages* /var/log/*.log /var/log/**/*.log )
echo "${filelist[@]}"
}
make_addon_backup() {
local name="${1}"
shift
if [ ! -f "/var/ipfire/backup/addons/includes/${name}" ]; then
echo "${name} does not have any backup includes" >&2
return 1
fi
local filename="/var/ipfire/backup/addons/backup/${name}.ipf"
tar cvzf "${filename}" \
$(process_includes "/var/ipfire/backup/addons/includes/${name}")
}
restore_addon_backup() {
local name="${1}"
if [ -d "/tmp/${name}.ipf" ]; then
mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf"
fi
tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /
}
main() {
local command="${1}"
shift
# Desired backup filename
local filename="/var/ipfire/backup/${NOW}.ipf"
case "${command}" in
include)
make_backup "${filename}" $(find_logfiles)
;;
exclude)
make_backup "${filename}"
;;
restore)
restore_backup "/tmp/restore.ipf"
;;
addonbackup)
make_addon_backup "$@"
;;
restoreaddon)
restore_addon_backup "${1/.ipf/}"
;;
iso)
if make_backup "${filename}"; then
/usr/local/bin/backupiso "${NOW}" &
fi
;;
makedirs)
mkdir -p /var/ipfire/backup/addons/{backup,includes}
;;
list)
process_includes "/var/ipfire/backup/include" "/var/ipfire/backup/include.user"
;;
/var/ipfire/backup/*.ipf|/var/ipfire/backup/addons/backup/*.ipf|/var/tmp/backupiso/*.iso)
unlink "${command}"
;;
*)
echo "${0}: [include|exclude|restore|addonbackup <addon>|restoreaddon <addon>|iso]" >&2
return 2
;;
esac
return $?
}
main "$@" || exit $?

3
config/backup/include
View File

@@ -23,6 +23,9 @@
/root/.gitconfig
/root/.ssh
/var/ipfire/auth/users
/var/ipfire/backup/addons/backup
/var/ipfire/backup/exclude.user
/var/ipfire/backup/include.user
/var/ipfire/captive/*
/var/ipfire/*/*.conf
/var/ipfire/*/config

1
config/backup/includes/frr Normal file
View File

@@ -0,0 +1 @@
/etc/frr

140
config/ca-certificates/certdata.txt
View File

@@ -2144,146 +2144,6 @@ CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Visa eCommerce Root"
#
# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
# Not Valid Before: Wed Jun 26 02:18:36 2002
# Not Valid After : Fri Jun 24 00:16:12 2022
# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
CKA_CLASS CK_OBJECT_CLASS CKO_CERTIFICATE
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Visa eCommerce Root"
CKA_CERTIFICATE_TYPE CK_CERTIFICATE_TYPE CKC_X_509
CKA_SUBJECT MULTILINE_OCTAL
\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
\103\157\155\155\145\162\143\145\040\122\157\157\164
END
CKA_ID UTF8 "0"
CKA_ISSUER MULTILINE_OCTAL
\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
\103\157\155\155\145\162\143\145\040\122\157\157\164
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
\034\142
END
CKA_VALUE MULTILINE_OCTAL
\060\202\003\242\060\202\002\212\240\003\002\001\002\002\020\023
\206\065\115\035\077\006\362\301\371\145\005\325\220\034\142\060
\015\006\011\052\206\110\206\367\015\001\001\005\005\000\060\153
\061\013\060\011\006\003\125\004\006\023\002\125\123\061\015\060
\013\006\003\125\004\012\023\004\126\111\123\101\061\057\060\055
\006\003\125\004\013\023\046\126\151\163\141\040\111\156\164\145
\162\156\141\164\151\157\156\141\154\040\123\145\162\166\151\143
\145\040\101\163\163\157\143\151\141\164\151\157\156\061\034\060
\032\006\003\125\004\003\023\023\126\151\163\141\040\145\103\157
\155\155\145\162\143\145\040\122\157\157\164\060\036\027\015\060
\062\060\066\062\066\060\062\061\070\063\066\132\027\015\062\062
\060\066\062\064\060\060\061\066\061\062\132\060\153\061\013\060
\011\006\003\125\004\006\023\002\125\123\061\015\060\013\006\003
\125\004\012\023\004\126\111\123\101\061\057\060\055\006\003\125
\004\013\023\046\126\151\163\141\040\111\156\164\145\162\156\141
\164\151\157\156\141\154\040\123\145\162\166\151\143\145\040\101
\163\163\157\143\151\141\164\151\157\156\061\034\060\032\006\003
\125\004\003\023\023\126\151\163\141\040\145\103\157\155\155\145
\162\143\145\040\122\157\157\164\060\202\001\042\060\015\006\011
\052\206\110\206\367\015\001\001\001\005\000\003\202\001\017\000
\060\202\001\012\002\202\001\001\000\257\127\336\126\036\156\241
\332\140\261\224\047\313\027\333\007\077\200\205\117\310\234\266
\320\364\157\117\317\231\330\341\333\302\110\134\072\254\071\063
\307\037\152\213\046\075\053\065\365\110\261\221\301\002\116\004
\226\221\173\260\063\360\261\024\116\021\157\265\100\257\033\105
\245\112\357\176\266\254\362\240\037\130\077\022\106\140\074\215
\241\340\175\317\127\076\063\036\373\107\361\252\025\227\007\125
\146\245\265\055\056\330\200\131\262\247\015\267\106\354\041\143
\377\065\253\245\002\317\052\364\114\376\173\365\224\135\204\115
\250\362\140\217\333\016\045\074\237\163\161\317\224\337\112\352
\333\337\162\070\214\363\226\275\361\027\274\322\272\073\105\132
\306\247\366\306\027\213\001\235\374\031\250\052\203\026\270\072
\110\376\116\076\240\253\006\031\351\123\363\200\023\007\355\055
\277\077\012\074\125\040\071\054\054\000\151\164\225\112\274\040
\262\251\171\345\030\211\221\250\334\034\115\357\273\176\067\013
\135\376\071\245\210\122\214\000\154\354\030\174\101\275\366\213
\165\167\272\140\235\204\347\376\055\002\003\001\000\001\243\102
\060\100\060\017\006\003\125\035\023\001\001\377\004\005\060\003
\001\001\377\060\016\006\003\125\035\017\001\001\377\004\004\003
\002\001\006\060\035\006\003\125\035\016\004\026\004\024\025\070
\203\017\077\054\077\160\063\036\315\106\376\007\214\040\340\327
\303\267\060\015\006\011\052\206\110\206\367\015\001\001\005\005
\000\003\202\001\001\000\137\361\101\175\174\134\010\271\053\340
\325\222\107\372\147\134\245\023\303\003\041\233\053\114\211\106
\317\131\115\311\376\245\100\266\143\315\335\161\050\225\147\021
\314\044\254\323\104\154\161\256\001\040\153\003\242\217\030\267
\051\072\175\345\026\140\123\170\074\300\257\025\203\367\217\122
\063\044\275\144\223\227\356\213\367\333\030\250\155\161\263\367
\054\027\320\164\045\151\367\376\153\074\224\276\115\113\101\214
\116\342\163\320\343\220\042\163\103\315\363\357\352\163\316\105
\212\260\246\111\377\114\175\235\161\210\304\166\035\220\133\035
\356\375\314\367\356\375\140\245\261\172\026\161\321\026\320\174
\022\074\154\151\227\333\256\137\071\232\160\057\005\074\031\106
\004\231\040\066\320\140\156\141\006\273\026\102\214\160\367\060
\373\340\333\146\243\000\001\275\346\054\332\221\137\240\106\213
\115\152\234\075\075\335\005\106\376\166\277\240\012\074\344\000
\346\047\267\377\204\055\336\272\042\047\226\020\161\353\042\355
\337\337\063\234\317\343\255\256\216\324\216\346\117\121\257\026
\222\340\134\366\007\017
END
CKA_NSS_MOZILLA_CA_POLICY CK_BBOOL CK_TRUE
# Trust for Certificate "Visa eCommerce Root"
# Issuer: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
# Serial Number:13:86:35:4d:1d:3f:06:f2:c1:f9:65:05:d5:90:1c:62
# Subject: CN=Visa eCommerce Root,OU=Visa International Service Association,O=VISA,C=US
# Not Valid Before: Wed Jun 26 02:18:36 2002
# Not Valid After : Fri Jun 24 00:16:12 2022
# Fingerprint (MD5): FC:11:B8:D8:08:93:30:00:6D:23:F9:7E:EB:52:1E:02
# Fingerprint (SHA1): 70:17:9B:86:8C:00:A4:FA:60:91:52:22:3F:9F:3E:32:BD:E0:05:62
CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
CKA_TOKEN CK_BBOOL CK_TRUE
CKA_PRIVATE CK_BBOOL CK_FALSE
CKA_MODIFIABLE CK_BBOOL CK_FALSE
CKA_LABEL UTF8 "Visa eCommerce Root"
CKA_CERT_SHA1_HASH MULTILINE_OCTAL
\160\027\233\206\214\000\244\372\140\221\122\042\077\237\076\062
\275\340\005\142
END
CKA_CERT_MD5_HASH MULTILINE_OCTAL
\374\021\270\330\010\223\060\000\155\043\371\176\353\122\036\002
END
CKA_ISSUER MULTILINE_OCTAL
\060\153\061\013\060\011\006\003\125\004\006\023\002\125\123\061
\015\060\013\006\003\125\004\012\023\004\126\111\123\101\061\057
\060\055\006\003\125\004\013\023\046\126\151\163\141\040\111\156
\164\145\162\156\141\164\151\157\156\141\154\040\123\145\162\166
\151\143\145\040\101\163\163\157\143\151\141\164\151\157\156\061
\034\060\032\006\003\125\004\003\023\023\126\151\163\141\040\145
\103\157\155\155\145\162\143\145\040\122\157\157\164
END
CKA_SERIAL_NUMBER MULTILINE_OCTAL
\002\020\023\206\065\115\035\077\006\362\301\371\145\005\325\220
\034\142
END
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
#
# Certificate "Certum Root CA"
#

2
config/rootfiles/common/bison
View File

@@ -51,6 +51,8 @@
#usr/share/locale/ast
#usr/share/locale/ast/LC_MESSAGES
#usr/share/locale/ast/LC_MESSAGES/bison-runtime.mo
#usr/share/locale/ca/LC_MESSAGES/bison-runtime.mo
#usr/share/locale/ca/LC_MESSAGES/bison.mo
#usr/share/locale/da/LC_MESSAGES/bison-runtime.mo
#usr/share/locale/da/LC_MESSAGES/bison.mo
#usr/share/locale/de/LC_MESSAGES/bison-runtime.mo

21
config/rootfiles/common/json-c Normal file
View File

@@ -0,0 +1,21 @@
#usr/include/json-c
#usr/include/json-c/arraylist.h
#usr/include/json-c/bits.h
#usr/include/json-c/debug.h
#usr/include/json-c/json.h
#usr/include/json-c/json_c_version.h
#usr/include/json-c/json_config.h
#usr/include/json-c/json_inttypes.h
#usr/include/json-c/json_object.h
#usr/include/json-c/json_object_iterator.h
#usr/include/json-c/json_pointer.h
#usr/include/json-c/json_tokener.h
#usr/include/json-c/json_util.h
#usr/include/json-c/json_visit.h
#usr/include/json-c/linkhash.h
#usr/include/json-c/printbuf.h
#usr/lib/libjson-c.la
#usr/lib/libjson-c.so
usr/lib/libjson-c.so.4
usr/lib/libjson-c.so.4.0.0
#usr/lib/pkgconfig/json-c.pc

3
config/rootfiles/common/kmod
View File

@@ -5,7 +5,10 @@ sbin/lsmod
sbin/modinfo
sbin/modprobe
sbin/rmmod
#usr/include/libkmod.h
#usr/lib/libkmod.la
#usr/lib/libkmod.so
usr/lib/libkmod.so.2
usr/lib/libkmod.so.2.3.3
#usr/lib/pkgconfig/libkmod.pc
#usr/share/bash-completion/completions/kmod

1
config/rootfiles/core/125/filelists/ca-certificates Symbolic link
View File

@@ -0,0 +1 @@
../../../common/ca-certificates

3
config/rootfiles/core/125/filelists/files
View File

@@ -4,7 +4,10 @@ etc/ssh/sshd_config
etc/sysctl.conf
srv/web/ipfire/cgi-bin/credits.cgi
srv/web/ipfire/cgi-bin/hardwaregraphs.cgi
srv/web/ipfire/cgi-bin/ids.cgi
srv/web/ipfire/cgi-bin/media.cgi
srv/web/ipfire/cgi-bin/pakfire.cgi
usr/local/bin/makegraphs
var/ipfire/backup/bin/backup.pl
var/ipfire/backup/include
var/ipfire/langs

1
config/rootfiles/core/125/filelists/json-c Symbolic link
View File

@@ -0,0 +1 @@
../../../common/json-c

1
config/rootfiles/core/125/filelists/squid Symbolic link
View File

@@ -0,0 +1 @@
../../../common/squid

2
config/rootfiles/core/125/update.sh
View File

@@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do
done
# Stop services
/etc/init.d/squid stop
# Extract files
extract_files
@@ -46,6 +47,7 @@ ldconfig
/etc/init.d/unbound restart
/etc/init.d/apache restart
/etc/init.d/sshd restart
/etc/init.d/squid start
# Reload sysctl.conf
sysctl -p

129
config/rootfiles/packages/frr Normal file
View File

@@ -0,0 +1,129 @@
#etc/frr
etc/frr/bgpd.conf.sample
etc/frr/bgpd.conf.sample2
etc/frr/bgpd.conf.vnc.sample
etc/frr/ospfd.conf.sample
etc/frr/ripngd.conf.sample
etc/frr/staticd.conf.sample
etc/frr/vtysh.conf.sample
etc/frr/zebra.conf.sample
etc/rc.d/init.d/frr
usr/bin/bgp_btoa
usr/bin/vtysh
#usr/include/frr
#usr/include/frr/bfd.h
#usr/include/frr/bitfield.h
#usr/include/frr/buffer.h
#usr/include/frr/checksum.h
#usr/include/frr/command.h
#usr/include/frr/command_graph.h
#usr/include/frr/command_match.h
#usr/include/frr/compiler.h
#usr/include/frr/csv.h
#usr/include/frr/debug.h
#usr/include/frr/distribute.h
#usr/include/frr/eigrpd
#usr/include/frr/eigrpd/eigrp_dump.h
#usr/include/frr/eigrpd/eigrp_topology.h
#usr/include/frr/eigrpd/eigrpd.h
#usr/include/frr/event_counter.h
#usr/include/frr/ferr.h
#usr/include/frr/fifo.h
#usr/include/frr/filter.h
#usr/include/frr/freebsd-queue.h
#usr/include/frr/frr_pthread.h
#usr/include/frr/frratomic.h
#usr/include/frr/frrstr.h
#usr/include/frr/getopt.h
#usr/include/frr/graph.h
#usr/include/frr/hash.h
#usr/include/frr/hook.h
#usr/include/frr/if.h
#usr/include/frr/if_rmap.h
#usr/include/frr/imsg.h
#usr/include/frr/ipaddr.h
#usr/include/frr/jhash.h
#usr/include/frr/json.h
#usr/include/frr/keychain.h
#usr/include/frr/lib_errors.h
#usr/include/frr/libfrr.h
#usr/include/frr/libospf.h
#usr/include/frr/linklist.h
#usr/include/frr/log.h
#usr/include/frr/logicalrouter.h
#usr/include/frr/md5.h
#usr/include/frr/memory.h
#usr/include/frr/memory_vty.h
#usr/include/frr/module.h
#usr/include/frr/monotime.h
#usr/include/frr/mpls.h
#usr/include/frr/network.h
#usr/include/frr/nexthop.h
#usr/include/frr/nexthop_group.h
#usr/include/frr/ns.h
#usr/include/frr/openbsd-queue.h
#usr/include/frr/openbsd-tree.h
#usr/include/frr/ospfd
#usr/include/frr/ospfd/ospf_api.h
#usr/include/frr/ospfd/ospf_asbr.h
#usr/include/frr/ospfd/ospf_dump.h
#usr/include/frr/ospfd/ospf_dump_api.h
#usr/include/frr/ospfd/ospf_ism.h
#usr/include/frr/ospfd/ospf_lsa.h
#usr/include/frr/ospfd/ospf_lsdb.h
#usr/include/frr/ospfd/ospf_nsm.h
#usr/include/frr/ospfd/ospf_opaque.h
#usr/include/frr/ospfd/ospfd.h
#usr/include/frr/pbr.h
#usr/include/frr/plist.h
#usr/include/frr/pqueue.h
#usr/include/frr/prefix.h
#usr/include/frr/privs.h
#usr/include/frr/ptm_lib.h
#usr/include/frr/pw.h
#usr/include/frr/qobj.h
#usr/include/frr/queue.h
#usr/include/frr/ringbuf.h
#usr/include/frr/route_types.h
#usr/include/frr/routemap.h
#usr/include/frr/sbuf.h
#usr/include/frr/sha256.h
#usr/include/frr/sigevent.h
#usr/include/frr/skiplist.h
#usr/include/frr/sockopt.h
#usr/include/frr/sockunion.h
#usr/include/frr/spf_backoff.h
#usr/include/frr/srcdest_table.h
#usr/include/frr/stream.h
#usr/include/frr/systemd.h
#usr/include/frr/table.h
#usr/include/frr/termtable.h
#usr/include/frr/thread.h
#usr/include/frr/vector.h
#usr/include/frr/version.h
#usr/include/frr/vlan.h
#usr/include/frr/vrf.h
#usr/include/frr/vrf_int.h
#usr/include/frr/vty.h
#usr/include/frr/vxlan.h
#usr/include/frr/wheel.h
#usr/include/frr/workqueue.h
#usr/include/frr/zassert.h
#usr/include/frr/zclient.h
#usr/include/frr/zebra.h
#usr/lib/libfrr.a
#usr/lib/libfrr.la
#usr/lib/libfrr.so
usr/lib/libfrr.so.0
usr/lib/libfrr.so.0.0.0
usr/sbin/bgpd
usr/sbin/frr
usr/sbin/frr-reload
usr/sbin/frr-reload.py
usr/sbin/ospfd
usr/sbin/rfptest
usr/sbin/ssd
usr/sbin/staticd
usr/sbin/watchfrr
usr/sbin/zebra
var/ipfire/backup/addons/includes/frr

19
config/rootfiles/packages/nfs
View File

@@ -5,9 +5,26 @@ sbin/nfsdcltrack
sbin/osd_login
sbin/umount.nfs
sbin/umount.nfs4
#usr/include/nfsidmap.h
#usr/include/nfsidmap_plugin.h
#usr/lib/libnfsidmap
#usr/lib/libnfsidmap.a
#usr/lib/libnfsidmap.la
#usr/lib/libnfsidmap.so
usr/lib/libnfsidmap.so.0
usr/lib/libnfsidmap.so.0.3.0
usr/lib/libnfsidmap.so.1
usr/lib/libnfsidmap.so.1.0.0
#usr/lib/libnfsidmap/nsswitch.a
#usr/lib/libnfsidmap/nsswitch.la
usr/lib/libnfsidmap/nsswitch.so
#usr/lib/libnfsidmap/static.a
#usr/lib/libnfsidmap/static.la
usr/lib/libnfsidmap/static.so
#usr/lib/libnfsidmap/umich_ldap.a
#usr/lib/libnfsidmap/umich_ldap.la
usr/lib/libnfsidmap/umich_ldap.so
#usr/lib/pkgconfig/libnfsidmap.pc
usr/sbin/exportfs
usr/sbin/mountstats
usr/sbin/nfsconf
@@ -22,7 +39,9 @@ usr/sbin/rpcdebug
usr/sbin/showmount
usr/sbin/sm-notify
usr/sbin/start-statd
#usr/share/man/man3/nfs4_uid_to_name.3
#usr/share/man/man5/exports.5
#usr/share/man/man5/idmapd.conf.5
#usr/share/man/man5/nfs.5
#usr/share/man/man5/nfs.conf.5
#usr/share/man/man5/nfsmount.conf.5

2
config/unbound/unbound.conf
View File

@@ -28,7 +28,7 @@ server:
log-queries: no
# Unbound Statistics
statistics-interval: 0
statistics-interval: 86400
statistics-cumulative: yes
extended-statistics: yes

2
html/cgi-bin/ids.cgi
View File

@@ -692,7 +692,7 @@ sub downloadrulesfile {
}
if ($peer) {
system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url");
system("wget -r --proxy=on --proxy-user=$proxysettings{'UPSTREAM_USER'} --proxy-passwd=$proxysettings{'UPSTREAM_PASSWORD'} -e http_proxy=http://$peer:$peerport/ -e https_proxy=http://$peer:$peerport/ -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url");
} else {
system("wget -r -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url");
}

2
lfs/ca-certificates
View File

@@ -24,7 +24,7 @@
include Config
VER = 20180910
VER = 20181027
THISAPP = ca-certificates
DIR_APP = $(DIR_SRC)/$(THISAPP)

114
lfs/frr Normal file
View File

@@ -0,0 +1,114 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 6.0
THISAPP = frr-$(VER)
DL_FILE = $(THISAPP).tar.xz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
PROG = frr
PAK_VER = 1
DEPS = ""
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = d725c08e0093f58e5fcac0969c781813
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
dist:
@$(PAK)
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure \
--prefix=/usr \
--sysconfdir=/etc/frr \
--localstatedir=/var/run/frr \
--enable-user="frr" \
--enable-group="frr" \
--enable-vty-group="frrvty" \
--enable-multipath=64 \
--disable-doc \
--disable-babeld \
--disable-bfdd \
--disable-eigrpd \
--disable-irdp \
--disable-isisd \
--disable-ldpd \
--disable-nhrpd \
--disable-ospf6d \
--disable-ospfapi \
--disable-pbrd \
--disable-pimd \
--disable-ripd \
--disable-ripngd
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
# Install backup include
install -v -m 644 $(DIR_SRC)/config/backup/includes/frr \
/var/ipfire/backup/addons/includes/frr
# Install initscript
$(call INSTALL_INITSCRIPT,frr)
@rm -rf $(DIR_APP)
@$(POSTBUILD)

80
lfs/json-c Normal file
View File

@@ -0,0 +1,80 @@
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2018 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
###############################################################################
# Definitions
###############################################################################
include Config
VER = 0.13.1
THISAPP = json-c-$(VER)
DL_FILE = $(THISAPP).tar.gz
DL_FROM = $(URL_IPFIRE)
DIR_APP = $(DIR_SRC)/$(THISAPP)
TARGET = $(DIR_INFO)/$(THISAPP)
###############################################################################
# Top-level Rules
###############################################################################
objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
$(DL_FILE)_MD5 = 04969ad59cc37bddd83741a08b98f350
install : $(TARGET)
check : $(patsubst %,$(DIR_CHK)/%,$(objects))
download :$(patsubst %,$(DIR_DL)/%,$(objects))
md5 : $(subst %,%_MD5,$(objects))
dist:
@$(PAK)
###############################################################################
# Downloading, checking, md5sum
###############################################################################
$(patsubst %,$(DIR_CHK)/%,$(objects)) :
@$(CHECK)
$(patsubst %,$(DIR_DL)/%,$(objects)) :
@$(LOAD)
$(subst %,%_MD5,$(objects)) :
@$(MD5)
###############################################################################
# Installation Details
###############################################################################
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && ./configure --prefix=/usr --disable-static
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install
@rm -rf $(DIR_APP)
@$(POSTBUILD)

2
lfs/squid
View File

@@ -72,6 +72,8 @@ $(subst %,%_MD5,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar xaf $(DIR_DL)/$(DL_FILE)
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch
cd $(DIR_APP) && patch -Np1 -i $(DIR_SRC)/src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch
cd $(DIR_APP) && patch -Np0 -i $(DIR_SRC)/src/patches/squid/squid-3.5.28-fix-max-file-descriptors.patch
cd $(DIR_APP) && autoreconf -vfi

4
make.sh
View File

@@ -37,7 +37,7 @@ KVER=`grep --max-count=1 VER lfs/linux | awk '{ print $3 }'`
GIT_TAG=$(git tag | tail -1) # Git Tag
GIT_LASTCOMMIT=$(git log | head -n1 | cut -d" " -f2 |head -c8) # Last commit
TOOLCHAINVER=20181024
TOOLCHAINVER=20181030
###############################################################################
#
@@ -1176,6 +1176,7 @@ buildipfire() {
lfsmake2 libgcrypt
lfsmake2 libassuan
lfsmake2 nettle
lfsmake2 json-c
lfsmake2 libevent
lfsmake2 libevent2
lfsmake2 expat
@@ -1556,6 +1557,7 @@ buildipfire() {
lfsmake2 lua
lfsmake2 dnsdist
lfsmake2 bird
lfsmake2 frr
lfsmake2 dmidecode
lfsmake2 mcelog
lfsmake2 rtpproxy

63
src/initscripts/packages/frr Executable file
View File

@@ -0,0 +1,63 @@
#!/bin/sh
########################################################################
# Begin $rc_base/init.d/frr
#
# Description : FRRouting Suite
#
########################################################################
. /etc/sysconfig/rc
. ${rc_functions}
DAEMONS="zebra bgpd ospfd staticd"
case "${1}" in
start)
# Fix permissions of configuration directory
if [ -d "/etc/frr" ]; then
chown root.frr /etc/frr
chmod 775 /etc/frr
fi
for daemon in ${DAEMONS}; do
if [ -f "/etc/frr/${daemon}.conf" ]; then
# Set permissions
chown frr.frr "/etc/frr/${daemon}.conf"
boot_mesg "Starting FRRouting ${daemon}..."
loadproc "/usr/sbin/${daemon}" --daemon
fi
done
;;
stop)
for daemon in ${DAEMONS}; do
boot_mesg "Stopping FRRouting ${daemon}..."
killproc "/usr/sbin/${daemon}"
done
;;
reload)
boot_mesg "Reloading FRRouting..."
reloadproc /usr/sbin/frr-reload
;;
restart)
${0} stop
sleep 1
${0} start
;;
status)
for daemon in ${DAEMONS}; do
statusproc "/usr/sbin/${daemon}"
done
;;
*)
echo "Usage: ${0} {start|stop|reload|restart|status}"
exit 1
;;
esac
# End $rc_base/init.d/frr

52
src/paks/frr/install.sh Normal file
View File

@@ -0,0 +1,52 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
if ! getent group frr &>/dev/null; then
groupadd -r frr
fi
if ! getent group frrvty &>/dev/null; then
groupadd -r frrvty
fi
if ! getent passwd frr &>/dev/null; then
useradd -r frr -g frr -s /bin/false -b /var/empty -G frrvty
fi
# Extract files
extract_files
# Restore any backups
restore_backup "${NAME}"
# Start services
start_service "${NAME}"
# Enable autostart
ln -svf ../init.d/frr /etc/rc.d/rc0.d/K40frr
ln -svf ../init.d/frr /etc/rc.d/rc3.d/S50frr
ln -svf ../init.d/frr /etc/rc.d/rc6.d/K40frr
exit 0

35
src/paks/frr/uninstall.sh Normal file
View File

@@ -0,0 +1,35 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
# Stop services
stop_service "${NAME}"
# Create backup
extract_backup_includes
make_backup "${NAME}"
# Remove all files
rm -rfv /etc/rc.d/rc*.d/*frr
remove_files

26
src/paks/frr/update.sh Normal file
View File

@@ -0,0 +1,26 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
./uninstall.sh
./install.sh

72
src/patches/squid/01_Certificate_fields_injection_via_D_in_ERR_SECURE_CONNECT_FAIL_306.patch Normal file
View File

@@ -0,0 +1,72 @@
commit f1657a9decc820f748fa3aff68168d3145258031
Author: Christos Tsantilas <christos@chtsanti.net>
Date: 2018-10-17 15:14:07 +0000
Certificate fields injection via %D in ERR_SECURE_CONNECT_FAIL (#306)
%ssl_subject, %ssl_ca_name, and %ssl_cn values were not properly escaped when %D code was expanded in HTML context of the ERR_SECURE_CONNECT_FAIL template. This bug affects all
ERR_SECURE_CONNECT_FAIL page templates containing %D, including the default template.
Other error pages are not vulnerable because Squid does not populate %D with certificate details in other contexts (yet).
Thanks to Nikolas Lohmann [eBlocker] for identifying the problem.
TODO: If those certificate details become needed for ACL checks or other non-HTML purposes, make their HTML-escaping conditional.
This is a Measurement Factory project.
diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc
index b5030e3..314e998 100644
--- a/src/ssl/ErrorDetail.cc
+++ b/src/ssl/ErrorDetail.cc
@@ -8,6 +8,8 @@
#include "squid.h"
#include "errorpage.h"
+#include "fatal.h"
+#include "html_quote.h"
#include "ssl/ErrorDetail.h"
#include <climits>
@@ -432,8 +434,11 @@ const char *Ssl::ErrorDetail::subject() const
{
if (broken_cert.get()) {
static char tmpBuffer[256]; // A temporary buffer
- if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
- return tmpBuffer;
+ if (X509_NAME_oneline(X509_get_subject_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
+ // quote to avoid possible html code injection through
+ // certificate subject
+ return html_quote(tmpBuffer);
+ }
}
return "[Not available]";
}
@@ -461,8 +466,11 @@ const char *Ssl::ErrorDetail::cn() const
static String tmpStr; ///< A temporary string buffer
tmpStr.clean();
Ssl::matchX509CommonNames(broken_cert.get(), &tmpStr, copy_cn);
- if (tmpStr.size())
- return tmpStr.termedBuf();
+ if (tmpStr.size()) {
+ // quote to avoid possible html code injection through
+ // certificate subject
+ return html_quote(tmpStr.termedBuf());
+ }
}
return "[Not available]";
}
@@ -474,8 +482,11 @@ const char *Ssl::ErrorDetail::ca_name() const
{
if (broken_cert.get()) {
static char tmpBuffer[256]; // A temporary buffer
- if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer)))
- return tmpBuffer;
+ if (X509_NAME_oneline(X509_get_issuer_name(broken_cert.get()), tmpBuffer, sizeof(tmpBuffer))) {
+ // quote to avoid possible html code injection through
+ // certificate issuer subject
+ return html_quote(tmpBuffer);
+ }
}
return "[Not available]";
}

22
src/patches/squid/02_Fix_memory_leak_when_parsing_SNMP_packet_313.patch Normal file
View File

@@ -0,0 +1,22 @@
commit bc9786119f058a76ddf0625424bc33d36460b9a2 (refs/remotes/origin/v3.5)
Author: flozilla <fishyflow@gmail.com>
Date: 2018-10-24 14:12:01 +0200
Fix memory leak when parsing SNMP packet (#313)
SNMP queries denied by snmp_access rules and queries with certain
unsupported SNMPv2 commands were leaking a few hundred bytes each. Such
queries trigger "SNMP agent query DENIED from..." WARNINGs in cache.log.
diff --git a/src/snmp_core.cc b/src/snmp_core.cc
index c4d21c1..16c2993 100644
--- a/src/snmp_core.cc
+++ b/src/snmp_core.cc
@@ -409,6 +409,7 @@ snmpDecodePacket(SnmpRequest * rq)
snmpConstructReponse(rq);
} else {
debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from);
+ snmp_free_pdu(PDU);
}
xfree(Community);