From d62015df1cdb0c0711b488bd66ced631b9a4f37b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 10 May 2019 20:45:30 +0200
Subject: [PATCH] security, better guard free text inputs, only allow admin
 groups and signal the user about its likely disappearance in the future. In
 some cases users would be able to execute arbitrary commands, which is
 impossible to protect against.

---
 src/www/services_dnsmasq.php   | 7 ++++++-
 src/www/services_ntpd.php      | 5 +++++
 src/www/services_unbound.php   | 5 +++++
 src/www/vpn_openvpn_client.php | 5 +++++
 src/www/vpn_openvpn_csc.php    | 6 ++++++
 src/www/vpn_openvpn_server.php | 5 +++++
 6 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/src/www/services_dnsmasq.php b/src/www/services_dnsmasq.php
index 0d8a51ff9..a833c57de 100644
--- a/src/www/services_dnsmasq.php
+++ b/src/www/services_dnsmasq.php
@@ -70,7 +70,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             $input_errors[] = gettext('Unbound is still active on the same port. Disable it before enabling Dnsmasq.');
         }
 
-        if (!empty($pconfig['custom_options'])) {
+        $prev_opt = !empty($config['dnsmasq']['custom_options']) ? $config['dnsmasq']['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }
+        if (!empty($pconfig['custom_options']) && userIsAdmin($_SESSION['Username'])) {
             $args = '';
             foreach (preg_split('/\s+/', str_replace("\r\n", "\n", $pconfig['custom_options'])) as $c) {
                 if (!empty($c)) {
@@ -386,6 +390,7 @@ $( document ).ready(function() {
                     </div>
                     <div id="showadv" <?= empty($pconfig['custom_options']) ? "style='display:none'" : "" ?>>
                       <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+                      <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
                     </div>
                     <div class="hidden" data-for="help_for_advanced">
                       <?=gettext("Enter any additional options you would like to add to the Dnsmasq configuration here, separated by a space or newline"); ?>
diff --git a/src/www/services_ntpd.php b/src/www/services_ntpd.php
index 6ffc6cc35..28b0de86c 100644
--- a/src/www/services_ntpd.php
+++ b/src/www/services_ntpd.php
@@ -72,6 +72,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     if (!empty($pconfig['orphan']) && ($pconfig['orphan'] < 0 || $pconfig['orphan'] > 15 || !is_numeric($pconfig['orphan']))) {
         $input_errors[] = gettext("Orphan mode must be a value between 0..15");
     }
+    $prev_opt = !empty($a_ntpd['custom_options']) ? $a_ntpd['custom_options'] : "";
+    if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+        $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+    }
 
     // swap fields, really stupid field usage which we are not going to change now....
     foreach (array('kod', 'nomodify', 'nopeer', 'notrap') as $fieldname) {
@@ -411,6 +415,7 @@ include("head.inc");
                       <div id="showadv" <?=empty($pconfig['custom_options']) ? "style='display:none'" : ""; ?>>
                         <strong><?=gettext("Advanced");?><br /></strong>
                         <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea><br />
+                        <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?><br/>
                         <?= gettext('Enter any additional options you would like to add to the network time configuration here, separated by a space or newline.') ?>
                       </div>
                     </td>
diff --git a/src/www/services_unbound.php b/src/www/services_unbound.php
index e8d54ad3e..9ad7f7920 100644
--- a/src/www/services_unbound.php
+++ b/src/www/services_unbound.php
@@ -83,6 +83,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         if (!empty($pconfig['local_zone_type']) && !array_key_exists($pconfig['local_zone_type'], unbound_local_zone_types())) {
             $input_errors[] = sprintf(gettext('Local zone type "%s" is not known.'), $pconfig['local_zone_type']);
         }
+        $prev_opt = !empty($a_unboundcfg['custom_options']) ? $a_unboundcfg['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }
 
         if (count($input_errors) == 0) {
             // text types
@@ -318,6 +322,7 @@ include_once("head.inc");
                         <td><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?= gettext('Custom options') ?></td>
                         <td>
                           <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+                          <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
                           <div class="hidden" data-for="help_for_custom_options">
                             <?=gettext("Enter any additional options you would like to add to the Unbound configuration here."); ?>
                           </div>
diff --git a/src/www/vpn_openvpn_client.php b/src/www/vpn_openvpn_client.php
index bb41f7a05..2a26a4574 100644
--- a/src/www/vpn_openvpn_client.php
+++ b/src/www/vpn_openvpn_client.php
@@ -294,6 +294,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
         if (($pconfig['mode'] != "p2p_shared_key") && empty($pconfig['certref']) && empty($pconfig['auth_user']) && empty($pconfig['auth_pass'])) {
             $input_errors[] = gettext("If no Client Certificate is selected, a username and password must be entered.");
         }
+        $prev_opt = (isset($id) && !empty($a_client[$id])) ? $a_client[$id]['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }
 
         if (count($input_errors) == 0) {
             // save data
@@ -1101,6 +1105,7 @@ $( document ).ready(function() {
             <td style="width:22%"><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Advanced"); ?></td>
             <td style="width:78%">
               <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+              <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
               <div class="hidden" data-for="help_for_custom_options">
                 <?=gettext("Enter any additional options you would like to add to the configuration file here."); ?>
               </div>
diff --git a/src/www/vpn_openvpn_csc.php b/src/www/vpn_openvpn_csc.php
index 7492ca4d6..26095db55 100644
--- a/src/www/vpn_openvpn_csc.php
+++ b/src/www/vpn_openvpn_csc.php
@@ -177,6 +177,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 }
             }
         }
+        $prev_opt = (isset($id) && !empty($a_csc[$id])) ? $a_csc[$id]['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }
+
 
         $reqdfields[] = 'common_name';
         $reqdfieldsn[] = 'Common name';
@@ -655,6 +660,7 @@ if ($act!="new" && $act!="edit") {
                     <td><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Advanced"); ?></td>
                     <td>
                       <textarea rows="6" cols="70" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+                      <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
                       <div class="hidden" data-for="help_for_custom_options">
                         <?=gettext("Enter any additional options you would like to add for this client specific override, separated by a semicolon"); ?><br />
                         <?=gettext("EXAMPLE: push \"route 10.0.0.0 255.255.255.0\""); ?>;
diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php
index 333b7522f..23dacf929 100644
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@@ -341,6 +341,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 }
             }
         }
+        $prev_opt = (isset($id) && !empty($a_server[$id])) ? $a_server[$id]['custom_options'] : "";
+        if ($prev_opt != str_replace("\r\n", "\n", $pconfig['custom_options']) && !userIsAdmin($_SESSION['Username'])) {
+            $input_errors[] = gettext("Advanced options may only be edited by admins (role page-all), due to the increased possibility of privilege escalation.");
+        }
 
         do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
 
@@ -1547,6 +1551,7 @@ endif; ?>
                       <td style="width:22%"><a id="help_for_custom_options" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Advanced"); ?></td>
                       <td>
                         <textarea rows="6" cols="78" name="custom_options" id="custom_options"><?=$pconfig['custom_options'];?></textarea>
+                        <?=gettext("This option will be removed in the future due to being insecure by nature. In the mean time only full administrators are allowed to change this setting.");?>
                         <div class="hidden" data-for="help_for_custom_options">
                           <?=gettext("Enter any additional options you would like to add to the configuration file here."); ?>
                         </div>