From ea9a77afd3d916575537e2c3ebd57e0a0a356d5b Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Mon, 30 Jul 2018 23:43:12 +0200
Subject: [PATCH] system: extend ACL matching a little more

&* and ?* and can be used to match a page like /* now,
which means we can use foobar.php?* to designate optional
GET arguments to the URL to be allowed instead of falsely
matching foobar.php* which could be foobar.phpfoobar/.

It's a constructed issue, but it may help developers to
build complex plugins that use different overlapping
pages for one reason or another.
---
 src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml | 4 +---
 src/opnsense/mvc/app/models/OPNsense/Core/ACL.php       | 8 ++++----
 src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml   | 4 ++--
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml b/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml
index d8171e6a2..97ecd9a16 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Base/Menu/Menu.xml
@@ -86,9 +86,7 @@
                 <Edit url="/system_crlmanager.php*" visibility="hidden"/>
             </Revocation>
         </Trust>
-        <Wizard url="/wizard.php?xml=system" cssClass="fa fa-magic fa-fw">
-            <Step url="/wizard.php?xml=system*" visibility="hidden"/>
-        </Wizard>
+        <Wizard url="/wizard.php?xml=system" cssClass="fa fa-magic fa-fw"/>
         <LogFiles order="150" VisibleName="Log Files" cssClass="fa fa-eye fa-fw">
             <General order="100" VisibleName="General" url="/diag_logs.php"/>
             <Configd order="150" VisibleName="Configd" url="/configd_logs.php"/>
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
index 1532366f7..bfc5294fd 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
@@ -185,8 +185,8 @@ class ACL
     {
         /* "." and "?" have no effect on match, but "*" is a wildcard */
         $match = str_replace(array('.', '*','?'), array('\.', '.*','\?'), $urlmask);
-        /* if pattern ends with '/.*' optionally match for flat URL mask */
-        $match = preg_replace('@/\.\*$@', '(/.*)?', $match);
+        /* if pattern ends with special markers also match flat URL mask */
+        $match = preg_replace('@([/&?])\.\*$@', '($1.*)?', $match);
         /* remove client side pattern from given URL */
         $url = preg_replace('@#.*$@', '', $url);
 
@@ -291,8 +291,8 @@ class ACL
                 if ($pattern == "*") {
                     return "index.php";
                 } elseif (!empty($pattern)) {
-                    /* remove wildcard and optional trailing slashes */
-                    return preg_replace('@/?\*$@', '', $pattern);
+                    /* remove wildcard and optional trailing slashes or query symbols */
+                    return preg_replace('@[/&?]?\*$@', '', $pattern);
                 }
                 break;
             }
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
index 03a3930e9..686dbbf19 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
@@ -427,7 +427,7 @@
     <page-wizard-system>
         <name>System Setup Wizard</name>
         <patterns>
-            <pattern>wizard.php?xml=system*</pattern>
+            <pattern>wizard.php?xml=system</pattern>
         </patterns>
     </page-wizard-system>
     <page-services-dhcprelay>
@@ -798,7 +798,7 @@
         <name>VPN: OpenVPN: Server</name>
         <patterns>
             <pattern>vpn_openvpn_server.php*</pattern>
-            <pattern>wizard.php?xml=openvpn*</pattern>
+            <pattern>wizard.php?xml=openvpn&amp;*</pattern>
         </patterns>
     </page-openvpn-server>
     <page-xmlrpclibrary>