proxy.cgi: sync bug 12755 13893 fixes from ipfire

commit f7c4f7d2968be6c9b786b7f7e46fdb8ac96c8104 Author: Michael Tremer <michael.tremer@ipfire.org> Date: Thu Sep 25 17:32:51 2025 +0200 proxy.cgi: Escape parameters in the right place Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit e22ecef885c34462565ae20020a32a27d0585dc3 Author: Adolf Belka <adolf.belka@ipfire.org> Date: Thu Sep 25 13:12:52 2025 +0200 proxy.cgi: Further fix for bug 13893 - Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the description for that bug. - bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi which is incorrect except for TLS_HOSTNAME. - The other parameters are from proxy.cgi but no mitigation was shown for those in the bug report. - This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit 4cf0694e55305e368c4ca28da2db7481c8f08c5a Author: Adolf Belka <adolf.belka@ipfire.org> Date: Thu Sep 25 13:12:51 2025 +0200 proxy.cgi: Fixes bug 13893 Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> commit a63c51da8ea03896c3340960821fbacece58f861 Author: Adolf Belka <adolf.belka@ipfire.org> Date: Tue May 6 16:10:10 2025 +0200 proxy.cgi: Fixes bug12755 - proxy auth problem with password longer than 8 chars - This makes the proxy local password management the same between chpasswd.cgi and proxy.cgi - Tested out on my vm testbed and was able to create and modify users and their passwords in the proxy.cgi page or modify a password for a specified user on the chpasswd.cgi page. This all happened successfully and was confirmed by testing out the local authentication. Fixes: bug12755 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
2026-04-09 10:35:53 +02:00 · 2025-10-03 21:56:05 +00:00
parent a8dc9235f1
commit a8d93e014d
1 changed files with 22 additions and 17 deletions
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2025  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -20,7 +20,6 @@
 ###############################################################################

 use strict;
-use Apache::Htpasswd;
 use Scalar::Util qw(looks_like_number);

 # enable only the following on debugging purpose
@@ -956,7 +955,8 @@ if ($netsettings{'BLUE_DEV'}) {
 }
 print <<END
 	<td class='base'>$Lang::tr{'advproxy visible hostname'}:</td>
-	<td><input type='text' name='VISIBLE_HOSTNAME' value='$proxysettings{'VISIBLE_HOSTNAME'}' /></td>
+	<td><input type='text' name='VISIBLE_HOSTNAME'
+		value='@{[ &Header::escape($proxysettings{'VISIBLE_HOSTNAME'}) ]}' /></td>
 </tr>
 <tr>
 END
@@ -1075,13 +1075,15 @@ print <<END
 	<td class='base'><a href='/cgi-bin/cachemgr.cgi' target='_blank'>$Lang::tr{'proxy cachemgr'}:</td>
 	<td><input type='checkbox' name='CACHEMGR' $checked{'CACHEMGR'}{'on'} /></td>
 	<td class='base'>$Lang::tr{'advproxy admin mail'}:</td>
-	<td><input type='text' name='ADMIN_MAIL_ADDRESS' value='$proxysettings{'ADMIN_MAIL_ADDRESS'}' /></td>
+	<td><input type='text' name='ADMIN_MAIL_ADDRESS'
+		value='@{[ &Header::escape($proxysettings{'ADMIN_MAIL_ADDRESS'}) ]}' /></td>
 </tr>
 <tr>
 	<td class='base'>$Lang::tr{'proxy filedescriptors'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
 	<td><input type='text' name='FILEDESCRIPTORS' value='$proxysettings{'FILEDESCRIPTORS'}' size='5' /></td>
 	<td class='base'>$Lang::tr{'proxy admin password'}:</td>
-	<td><input type='text' name='ADMIN_PASSWORD' value='$proxysettings{'ADMIN_PASSWORD'}' /></td>
+	<td><input type='text' name='ADMIN_PASSWORD'
+		value='@{[ &Header::escape($proxysettings{'ADMIN_PASSWORD'}) ]}' /></td>
 </tr>
 <tr>
 	<td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
@@ -3977,8 +3979,14 @@ END
 		print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n";
 	}

-	if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; }
-	if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; }
+	if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq ''))
+		{
+			print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n";
+		}
+	if (!($proxysettings{'ADMIN_PASSWORD'} eq ''))
+		{
+			print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n";
+		}
 	print FILE "\n";

 	print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n";
@@ -3994,8 +4002,13 @@ END
 		# login=*:password      ($proxysettings{'FORWARD_USERNAME'} eq 'on')
 		if (($proxy1 eq 'YES') || ($proxy1 eq 'PASS'))
 		{
+			$proxysettings{'UPSTREAM_USER'} = &Header::escape($proxysettings{'UPSTREAM_USER'});
 			print FILE " login=$proxysettings{'UPSTREAM_USER'}";
-			if ($proxy1 eq 'YES') { print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}"; }
+			if ($proxy1 eq 'YES')
+			{
+				$proxysettings{'UPSTREAM_PASSWORD'} = &Header::escape($proxysettings{'UPSTREAM_PASSWORD'});
+				print FILE ":$proxysettings{'UPSTREAM_PASSWORD'}";
+			}
 		}
 		elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; }

@@ -4050,15 +4063,7 @@ sub adduser
 		close(FILE);
 	} else {
 		&deluser($str_user);
-
-		my %htpasswd_options = (
-			passwdFile => "$userdb",
-			UseMD5 => 1,
-		);
-
-		my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
-
-		$htpasswd->htpasswd($str_user, $str_pass);
+		&General::system("/usr/bin/htpasswd", "-bB", "-C 10", "$userdb", "$str_user", "$str_pass");
 	}

 	if ($str_group eq 'standard') { open(FILE, ">>$stdgrp");