security, better guard free text inputs, only allow admin groups and signal the user about its likely disappearance in the future.

In some cases users would be able to execute arbitrary commands, which is impossible to protect against.
2026-03-20 11:26:13 +00:00 · 2019-05-10 20:45:30 +02:00 · 2019-05-10 20:45:30 +02:00 · d62015df1c
commit d62015df1c
parent 7af6473081
6 changed files with 32 additions and 1 deletions
--- a/src/www/services_dnsmasq.php
+++ b/src/www/services_dnsmasq.php
@ -70,7 +70,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            $input_errors[] = gettext('Unbound is still active on the same port. Disable it before enabling Dnsmasq.');
        }

-        if (!empty($pconfig['custom_options'])) {
+        $prev_opt = !empty($config['dnsmasq']['custom_options']) ? $config['dnsmasq']['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }
+        if (!empty($pconfig['custom_options']) && userIsAdmin($_SESSION['Username'])) {
            $args = '';
            foreach (preg_split('/\s+/', str_replace("\r\n", "\n", $pconfig['custom_options'])) as $c) {
                if (!empty($c)) {
@ -386,6 +390,7 @@ $( document ).ready(function() {
                    </div>
                    <div id="showadv" <?= empty($pconfig['custom_options']) ? "style='display:none'" : "" ?>>
                      <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+                      <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
                    </div>
                    <div class="hidden" data-for="help_for_advanced">
                      <?=gettext("Enter any additional options you would like to add to the Dnsmasq configuration here, separated by a space or newline"); ?>
--- a/src/www/services_ntpd.php
+++ b/src/www/services_ntpd.php
@ -72,6 +72,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    if (!empty($pconfig['orphan']) && ($pconfig['orphan'] < 0 || $pconfig['orphan'] > 15 || !is_numeric($pconfig['orphan']))) {
        $input_errors[] = gettext("Orphan mode must be a value between 0..15");
    }
+    $prev_opt = !empty($a_ntpd['custom_options']) ? $a_ntpd['custom_options'] : "";
+    if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+        $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+    }

    // swap fields, really stupid field usage which we are not going to change now....
    foreach (array('kod', 'nomodify', 'nopeer', 'notrap') as $fieldname) {
@ -411,6 +415,7 @@ include("head.inc");
                      <div id="showadv" <?=empty($pconfig['custom_options']) ? "style='display:none'" : ""; ?>>
                        <strong><?=gettext("Advanced");?><br /></strong>
                        <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea><br />
+                        <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?><br/>
                        <?= gettext('Enter any additional options you would like to add to the network time configuration here, separated by a space or newline.') ?>
                      </div>
                    </td>
--- a/src/www/services_unbound.php
+++ b/src/www/services_unbound.php
@ -83,6 +83,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        if (!empty($pconfig['local_zone_type']) && !array_key_exists($pconfig['local_zone_type'], unbound_local_zone_types())) {
            $input_errors[] = sprintf(gettext('Local zone type "%s" is not known.'), $pconfig['local_zone_type']);
        }
+        $prev_opt = !empty($a_unboundcfg['custom_options']) ? $a_unboundcfg['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }

        if (count($input_errors) == 0) {
            // text types
@ -318,6 +322,7 @@ include_once("head.inc");
                        <td><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Custom options') ?></td>
                        <td>
                          <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+                          <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
                          <div class="hidden" data-for="help_for_custom_options">
                            <?=gettext("Enter any additional options you would like to add to the Unbound configuration here."); ?>
                          </div>
--- a/src/www/vpn_openvpn_client.php
+++ b/src/www/vpn_openvpn_client.php
@ -294,6 +294,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        if (($pconfig['mode'] != "p2p_shared_key") && empty($pconfig['certref']) && empty($pconfig['auth_user']) && empty($pconfig['auth_pass'])) {
            $input_errors[] = gettext("If no Client Certificate is selected, a username and password must be entered.");
        }
+        $prev_opt = (isset($id) && !empty($a_client[$id])) ? $a_client[$id]['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }

        if (count($input_errors) == 0) {
            // save data
@ -1101,6 +1105,7 @@ $( document ).ready(function() {
            <td style="width:22%"><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Advanced"); ?></td>
            <td style="width:78%">
              <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+              <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
              <div class="hidden" data-for="help_for_custom_options">
                <?=gettext("Enter any additional options you would like to add to the configuration file here."); ?>
              </div>
--- a/src/www/vpn_openvpn_csc.php
+++ b/src/www/vpn_openvpn_csc.php
@ -177,6 +177,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                }
            }
        }
+        $prev_opt = (isset($id) && !empty($a_csc[$id])) ? $a_csc[$id]['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }
+

        $reqdfields[] = 'common_name';
        $reqdfieldsn[] = 'Common name';
@ -655,6 +660,7 @@ if ($act!="new" && $act!="edit") {
                    <td><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Advanced"); ?></td>
                    <td>
                      <textarea rows="6" cols="70" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+                      <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
                      <div class="hidden" data-for="help_for_custom_options">
                        <?=gettext("Enter any additional options you would like to add for this client specific override, separated by a semicolon"); ?><br />
                        <?=gettext("EXAMPLE: push \"route 10.0.0.0 255.255.255.0\""); ?>;
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@ -341,6 +341,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                }
            }
        }
+        $prev_opt = (isset($id) && !empty($a_server[$id])) ? $a_server[$id]['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }

        do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);

@ -1547,6 +1551,7 @@ endif; ?>
                      <td style="width:22%"><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Advanced"); ?></td>
                      <td>
                        <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+                        <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
                        <div class="hidden" data-for="help_for_custom_options">
                          <?=gettext("Enter any additional options you would like to add to the configuration file here."); ?>
                        </div>