bpfire/html/cgi-bin/firewall.cgi at 0e302b1efc06e0aac4e46b1aa0a44610fcb52db7

mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00

Files

Vincent Li 0e302b1efc firewall.cgi: Fixes XSS potential

commit 21539d63dfcb15f186309b3107f63d455e4008ea
Author: Adolf Belka <adolf.belka@ipfire.org>
Date:   Thu Oct 2 13:10:15 2025 +0200

    firewall.cgi: Fixes XSS potential

    - Related to CVE-2025-50975
    - Fixes PROT
    - ruleremark was already escaped when firewall.cgi was initially merged back in Core
       Update 77.
    - SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
       ports or port ranges.
    - std_net_tgt is a string defined in the code and not a variable
    - The variable key ignores any input that is not a digit and subsequently uses the next
       free rulenumber digit

    Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>

2025-10-03 18:09:01 +00:00

116 KiB

Raw Blame History

View Raw

116 KiB Raw Blame History

116 KiB

Raw Blame History