src: allow login/error page to use cache_safe()

Now that we don't have version leakage we can extend the use to the login page without risk (except that people know it's at least the version that feature was introduced in).
2026-03-13 00:07:26 +00:00 · 2018-09-16 12:25:38 +02:00 · 2018-09-16 12:25:38 +02:00 · 866ff2ba92
commit 866ff2ba92
parent 4178038bed
3 changed files with 16 additions and 19 deletions
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@ -244,8 +244,8 @@ function display_error_form($http_code, $desc)

    <title><?=$http_code?></title>

-    <link href="/ui/themes/<?= $themename ?>/build/css/main.css" rel="stylesheet">
-    <link href="/ui/themes/<?= $themename ?>/build/images/favicon.png" rel="shortcut icon">
+    <link href="<?= cache_safe("/ui/themes/{$themename}/build/css/main.css") ?>" rel="stylesheet">
+    <link href="<?= cache_safe("/ui/themes/{$themename}/build/images/favicon.png") ?>" rel="shortcut icon">

    <!--[if lt IE 9]><script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.2/html5shiv.min.js"></script><![endif]-->
  </head>
@ -312,17 +312,15 @@ function display_login_form($Login_Error)

    <title><?=gettext("Login"); ?></title>

-    <link href="/ui/themes/<?= $themename ?>/build/css/main.css" rel="stylesheet">
-    <link href="/ui/themes/<?= $themename ?>/build/images/favicon.png" rel="shortcut icon">
+    <link href="<?= cache_safe("/ui/themes/{$themename}/build/css/main.css") ?>" rel="stylesheet">
+    <link href="<?= cache_safe("/ui/themes/{$themename}/build/images/favicon.png") ?>" rel="shortcut icon">

    <script src="/ui/js/jquery-3.2.1.min.js"></script>
    <script src="/ui/js/jquery-migrate-3.0.1.min.js"></script>

-<?php
-    if (file_exists("/usr/local/opnsense/www/themes/".$themename."/build/js/theme.js")):?>
-    <script src="/ui/themes/<?=$themename?>/build/js/theme.js"></script>
-<?php
-    endif;?>
+<?php if (file_exists("/usr/local/opnsense/www/themes/{$themename}/build/js/theme.js")): ?>
+    <script src="<?= cache_safe("/ui/themes/{$themename}/build/js/theme.js") ?>"></script>
+<?php endif ?>

    <!--[if lt IE 9]><script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.2/html5shiv.min.js"></script><![endif]-->

--- a/src/etc/inc/util.inc
+++ b/src/etc/inc/util.inc
@ -906,6 +906,15 @@ function url_safe($format, $args = array())
    return vsprintf($format, $args);
 }

+function cache_safe($url)
+{
+    $info = stat('/usr/local/opnsense/www/index.php');
+    if (!empty($info['mtime'])) {
+        return "{$url}?v=" . substr(md5($info['mtime']), 0, 16);
+    }
+
+    return $url;
+}

 /****f* util/exec_command
 * NAME
--- a/src/www/guiconfig.inc
+++ b/src/www/guiconfig.inc
@ -61,16 +61,6 @@ function html_safe($text)
    return htmlspecialchars($text, ENT_QUOTES | ENT_HTML401);
 }

-function cache_safe($url)
-{
-    $info = stat('/usr/local/opnsense/www/index.php');
-    if (!empty($info['mtime'])) {
-        return "{$url}?v=" . substr(md5($info['mtime']), 0, 16);
-    }
-
-    return $url;
-}
-
 /**
 * search for a themed filename or return distribution standard
 * @param string $url relative url