system: extend ACL matching a little more

&* and ?* and can be used to match a page like /* now, which means we can use foobar.php?* to designate optional GET arguments to the URL to be allowed instead of falsely matching foobar.php* which could be foobar.phpfoobar/. It's a constructed issue, but it may help developers to build complex plugins that use different overlapping pages for one reason or another.
2026-03-20 03:16:12 +00:00 · 2018-07-30 23:43:12 +02:00 · 2018-07-30 23:43:12 +02:00 · ea9a77afd3
commit ea9a77afd3
parent a0b88452a4
3 changed files with 7 additions and 9 deletions
--- a/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml
@ -86,9 +86,7 @@
                <Edit url="/system_crlmanager.php*" visibility="hidden"/>
            </Revocation>
        </Trust>
-        <Wizard url="/wizard.php?xml=system" cssClass="fa fa-magic fa-fw">
-            <Step url="/wizard.php?xml=system*" visibility="hidden"/>
-        </Wizard>
+        <Wizard url="/wizard.php?xml=system" cssClass="fa fa-magic fa-fw"/>
        <LogFiles order="150" VisibleName="Log Files" cssClass="fa fa-eye fa-fw">
            <General order="100" VisibleName="General" url="/diag_logs.php"/>
            <Configd order="150" VisibleName="Configd" url="/configd_logs.php"/>
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
@ -185,8 +185,8 @@ class ACL
    {
        /* "." and "?" have no effect on match, but "*" is a wildcard */
        $match = str_replace(array('.', '*','?'), array('\.', '.*','\?'), $urlmask);
-        /* if pattern ends with '/.*' optionally match for flat URL mask */
-        $match = preg_replace('@/\.\*$@', '(/.*)?', $match);
+        /* if pattern ends with special markers also match flat URL mask */
+        $match = preg_replace('@([/&?])\.\*$@', '($1.*)?', $match);
        /* remove client side pattern from given URL */
        $url = preg_replace('@#.*$@', '', $url);

@ -291,8 +291,8 @@ class ACL
                if ($pattern == "*") {
                    return "index.php";
                } elseif (!empty($pattern)) {
-                    /* remove wildcard and optional trailing slashes */
-                    return preg_replace('@/?\*$@', '', $pattern);
+                    /* remove wildcard and optional trailing slashes or query symbols */
+                    return preg_replace('@[/&?]?\*$@', '', $pattern);
                }
                break;
            }
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
@ -427,7 +427,7 @@
    <page-wizard-system>
        <name>System Setup Wizard</name>
        <patterns>
-            <pattern>wizard.php?xml=system*</pattern>
+            <pattern>wizard.php?xml=system</pattern>
        </patterns>
    </page-wizard-system>
    <page-services-dhcprelay>
@ -798,7 +798,7 @@
        <name>VPN: OpenVPN: Server</name>
        <patterns>
            <pattern>vpn_openvpn_server.php*</pattern>
-            <pattern>wizard.php?xml=openvpn*</pattern>
+            <pattern>wizard.php?xml=openvpn&amp;*</pattern>
        </patterns>
    </page-openvpn-server>
    <page-xmlrpclibrary>