From d4adfc301ee282bcc8a45f7b1066c49324147831 Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Fri, 31 Jul 2015 15:06:26 +0200 Subject: [PATCH] auth: fix HTTP_REVER checks by reverts for now This reverts commit 92a5f77ad533ac1770bdcc0a39b8faca7aab8cfd. This reverts commit 681f654c2f7f8747738cfe115f6399bff56bc319. --- src/etc/inc/auth.inc | 48 ++++++++++++++--------------------------- src/etc/inc/authgui.inc | 20 ++++++++++++++--- 2 files changed, 33 insertions(+), 35 deletions(-) diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index f67975648..380beb83b 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -38,7 +38,8 @@ /* include globals from notices.inc /utility/XML parser files */ require_once("radius.inc"); - +require_once("interfaces.inc"); +require_once("util.inc"); // Will be changed to false if security checks fail $security_passed = true; @@ -147,8 +148,20 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui'][' } if(!$found_host) { - $found_host = isAuthLocalIP($referrer_host) ; - + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + if(strcasecmp($referrer_host, $ilips) == 0) { + $found_host = true; + break; + } + } + $interface_list_ipv6s = get_configured_ipv6_addresses(); + foreach($interface_list_ipv6s as $ilipv6s) { + if(strcasecmp($referrer_host, $ilipv6s) == 0) { + $found_host = true; + break; + } + } if($referrer_host == "127.0.0.1" || $referrer_host == "localhost") { // allow SSH port forwarded connections and links from localhost $found_host = true; @@ -175,35 +188,6 @@ unset($security_passed); $groupindex = index_groups(); $userindex = index_users(); -/** - * check if $http_host is a local configured ip address - */ -function isAuthLocalIP($http_host) { - global $config; - $local_ip = false; - if (isset($config['interfaces'])) { - foreach($config['interfaces'] as $if => $ifdetail) { - if (isset($ifdetail['enable'])) { - if (isset($ifdetail['ipaddr']) && $ifdetail['ipaddr'] == $http_host) { - $local_ip = true; - } elseif (isset($ifdetail['ipaddr6']) && $ifdetail['ipaddr6'] == $http_host) { - $local_ip = true; - } - } - } - } - - if (isset($config['virtualip']['vip'])) { - foreach ($config['virtualip']['vip'] as $vip) { - if ($vip['subnet'] == $http_host) { - $local_ip = true; - } - } - } - - return $local_ip; -} - function index_groups() { global $config, $groupindex; diff --git a/src/etc/inc/authgui.inc b/src/etc/inc/authgui.inc index d02071557..8deaba234 100644 --- a/src/etc/inc/authgui.inc +++ b/src/etc/inc/authgui.inc @@ -31,6 +31,7 @@ */ require_once("auth.inc"); +require_once("filter.inc"); // provided via legacy_bindings.inc global $priv_list; @@ -385,6 +386,7 @@ function display_login_form() /* Check against locally configured IP addresses, which will catch when someone port forwards WebGUI access from WAN to an internal IP on the router. */ + $FilterIflist = filter_generate_optcfg_array() ; $local_ip = false; if (strstr($_SERVER['HTTP_HOST'], ":")) { $http_host_port = explode(":", $_SERVER['HTTP_HOST']); @@ -392,10 +394,22 @@ function display_login_form() } else { $http_host = $_SERVER['HTTP_HOST']; } + foreach ($FilterIflist as $iflist) { + if ($iflist['ip'] == $http_host) { + $local_ip = true; + } + if ($iflist['ipv6'] == $http_host) { + $local_ip = true; + } + } - // fix, local ip check was previously done using "filter_generate_optcfg_array" which basically includes alomst everything here. - // this should do the trick as well. - $local_ip = isAuthLocalIP($http_host); + if (isset($config['virtualip']['vip'])) { + foreach ($config['virtualip']['vip'] as $vip) { + if ($vip['subnet'] == $http_host) { + $local_ip = true; + } + } + } if (isset($config['openvpn']['openvpn-server'])) { foreach ($config['openvpn']['openvpn-server'] as $ovpns) {