lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 09:04:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

(ids) sanitize query strings

Browse Source
This commit is contained in:
Ad Schellevis 2015-06-26 10:11:43 +02:00
parent 0a5f2f2be5
commit 566f2b4bdd
2 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/opnsense/mvc/app/controllers/OPNsense/IDS/Api/ServiceController.php
View File

@ -29,6 +29,7 @@
namespace OPNsense\IDS\Api;
use \Phalcon\Filter;
use \OPNsense\Base\Filters\QueryFilter;
use \OPNsense\Base\ApiControllerBase;
use \OPNsense\Core\Backend;
use \OPNsense\IDS\IDS;
@ -162,13 +163,17 @@ class ServiceController extends ApiControllerBase
{
if ($this->request->isPost()) {
$this->sessionClose();
// create filter to sanitize input data
$filter = new Filter();
$filter->add('query', new QueryFilter());
// fetch query parameters
$itemsPerPage = $this->request->getPost('rowCount', 'int', 9999);
$currentPage = $this->request->getPost('current', 'int', 1);
if ($this->request->getPost('searchPhrase', 'string', '') != "") {
$searchPhrase = 'alert,src_ip/"*'.$this->request->getPost('searchPhrase', 'string', '').'*"';
$filterTag = $filter->sanitize($this->request->getPost('searchPhrase'), "query");
$searchPhrase = 'alert,src_ip/"*'.$filterTag .'*"';
} else {
$searchPhrase = '';
}

15
src/opnsense/mvc/app/controllers/OPNsense/IDS/Api/SettingsController.php
View File

@ -28,7 +28,9 @@
*/
namespace OPNsense\IDS\Api;
use \Phalcon\Filter;
use \OPNsense\Base\ApiControllerBase;
use \OPNsense\Base\Filters\QueryFilter;
use \OPNsense\Core\Backend;
use \OPNsense\IDS\IDS;
use \OPNsense\Core\Config;
@ -62,6 +64,10 @@ class SettingsController extends ApiControllerBase
{
if ($this->request->isPost()) {
$this->sessionClose();
// create filter to sanitize input data
$filter = new Filter();
$filter->add('query', new QueryFilter());
// fetch query parameters
$itemsPerPage = $this->request->getPost('rowCount', 'int', 9999);
@ -80,20 +86,22 @@ class SettingsController extends ApiControllerBase
if ($sortStr != '') {
$sortStr .= ',';
}
$sortStr .= $sortKey . ' '. $sortOrd . ' ';
$sortStr .= $filter->sanitize($sortKey, "query") . ' '. $sortOrd . ' ';
}
} else {
$sortStr = 'sid';
}
if ($this->request->getPost('searchPhrase', 'string', '') != "") {
$searchPhrase = 'msg,classtype,source,sid/"%'.$this->request->getPost('searchPhrase', 'string', '').'"';
$searchTag = $filter->sanitize($this->request->getPost('searchPhrase'), "query");
$searchPhrase = 'msg,classtype,source,sid/"*'.$searchTag.'"';
} else {
$searchPhrase = '';
}
// add filter for classtype
if ($this->request->getPost("classtype", "string", '') != "") {
$searchPhrase .= "classtype/".$this->request->getPost("classtype", "string", '').' ';
$searchTag = $filter->sanitize($this->request->getPost('classtype'), "query");
$searchPhrase .= "classtype/".$searchTag.' ';
}
// request list of installed rules
@ -114,6 +122,7 @@ class SettingsController extends ApiControllerBase
$result['rowCount'] = count($result['rows']);
$result['total'] = $data['total_rows'];
$result['parameters'] = $data['parameters'];
$result['current'] = (int)$currentPage;
return $result;
} else {