From 866ff2ba9252e4c3e830c6ff66edf0d2128b4f5e Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Sun, 16 Sep 2018 12:25:38 +0200
Subject: [PATCH] src: allow login/error page to use cache_safe()

Now that we don't have version leakage we can extend the use
to the login page without risk (except that people know it's
at least the version that feature was introduced in).
---
 src/etc/inc/authgui.inc | 16 +++++++---------
 src/etc/inc/util.inc    |  9 +++++++++
 src/www/guiconfig.inc   | 10 ----------
 3 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc
index 93f54fca9..0e1f488ed 100644
--- a/src/etc/inc/authgui.inc
+++ b/src/etc/inc/authgui.inc
@@ -244,8 +244,8 @@ function display_error_form($http_code, $desc)
 
     <title><?=$http_code?></title>
 
-    <link href="/ui/themes/<?= $themename ?>/build/css/main.css" rel="stylesheet">
-    <link href="/ui/themes/<?= $themename ?>/build/images/favicon.png" rel="shortcut icon">
+    <link href="<?= cache_safe("/ui/themes/{$themename}/build/css/main.css") ?>" rel="stylesheet">
+    <link href="<?= cache_safe("/ui/themes/{$themename}/build/images/favicon.png") ?>" rel="shortcut icon">
 
     <!--[if lt IE 9]><script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.2/html5shiv.min.js"></script><![endif]-->
   </head>
@@ -312,17 +312,15 @@ function display_login_form($Login_Error)
 
     <title><?=gettext("Login"); ?></title>
 
-    <link href="/ui/themes/<?= $themename ?>/build/css/main.css" rel="stylesheet">
-    <link href="/ui/themes/<?= $themename ?>/build/images/favicon.png" rel="shortcut icon">
+    <link href="<?= cache_safe("/ui/themes/{$themename}/build/css/main.css") ?>" rel="stylesheet">
+    <link href="<?= cache_safe("/ui/themes/{$themename}/build/images/favicon.png") ?>" rel="shortcut icon">
 
     <script src="/ui/js/jquery-3.2.1.min.js"></script>
     <script src="/ui/js/jquery-migrate-3.0.1.min.js"></script>
 
-<?php
-    if (file_exists("/usr/local/opnsense/www/themes/".$themename."/build/js/theme.js")):?>
-    <script src="/ui/themes/<?=$themename?>/build/js/theme.js"></script>
-<?php
-    endif;?>
+<?php if (file_exists("/usr/local/opnsense/www/themes/{$themename}/build/js/theme.js")): ?>
+    <script src="<?= cache_safe("/ui/themes/{$themename}/build/js/theme.js") ?>"></script>
+<?php endif ?>
 
     <!--[if lt IE 9]><script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.2/html5shiv.min.js"></script><![endif]-->
 
diff --git a/src/etc/inc/util.inc b/src/etc/inc/util.inc
index 04b2dccb5..9c7c051a8 100644
--- a/src/etc/inc/util.inc
+++ b/src/etc/inc/util.inc
@@ -906,6 +906,15 @@ function url_safe($format, $args = array())
     return vsprintf($format, $args);
 }
 
+function cache_safe($url)
+{
+    $info = stat('/usr/local/opnsense/www/index.php');
+    if (!empty($info['mtime'])) {
+        return "{$url}?v=" . substr(md5($info['mtime']), 0, 16);
+    }
+
+    return $url;
+}
 
 /****f* util/exec_command
  * NAME
diff --git a/src/www/guiconfig.inc b/src/www/guiconfig.inc
index 1c3f66dd9..0a107dc13 100644
--- a/src/www/guiconfig.inc
+++ b/src/www/guiconfig.inc
@@ -61,16 +61,6 @@ function html_safe($text)
     return htmlspecialchars($text, ENT_QUOTES | ENT_HTML401);
 }
 
-function cache_safe($url)
-{
-    $info = stat('/usr/local/opnsense/www/index.php');
-    if (!empty($info['mtime'])) {
-        return "{$url}?v=" . substr(md5($info['mtime']), 0, 16);
-    }
-
-    return $url;
-}
-
 /**
  * search for a themed filename or return distribution standard
  * @param string $url relative url