Bug #12000
closedRemote log server input validation allows invalid values
100%
Description
When configuring remote syslog servers in status_logs_settings.php each server is entered as IP[:port]. Port 514 is assumed if no port in entered.
However the page will allow you to enter a range on invalid values there such as:
5140
514:5140
192.168.1.105140
All result in invalid syslog configs.
Some are interpreted as IP addresses resulting in sending syslog data to an unintended target. For example 514 is seen as 0.0.2.2.
Tested 21.05 and 2.5.2.b.20210604.0300
Related issues
Updated by Viktor Gurov over 3 years ago
OS interprets numeric-only value as decimal IP address:
[2.6.0-DEVELOPMENT][root@pf41.localdomain]/root: ping 10 PING 10 (0.0.0.10): 56 data bytes [2.6.0-DEVELOPMENT][root@pf41.localdomain]/root: ping 255 PING 255 (0.0.0.255): 56 data bytes [2.6.0-DEVELOPMENT][root@pf41.localdomain]/root: ping 256 PING 256 (0.0.1.0): 56 data bytes
`is_hostname()` improvement:
https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/275
Updated by Jim Pingle over 3 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 3 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
PR has been merged. Thanks!
Updated by Viktor Gurov over 3 years ago
- % Done changed from 0 to 100
Applied in changeset c2c11dcf6dd2b71d554d2870a39373e75c70e624.
Updated by Danilo Zrenjanin over 3 years ago
Tested on the:
2.6.0-DEVELOPMENT (amd64) built on Mon Jul 26 14:27:42 EDT 2021 FreeBSD 12.2-STABLE
The validation check works only in the first input filed. If you insert a valid value in the first field and an invalid in the second and third, it will accept the settings.
Please check.
Updated by Danilo Zrenjanin over 3 years ago
- Status changed from Feedback to Resolved
It works fine. It considered my entry as FQDN (192.168.33.33333) and passed the validity check.
The ticket can be resolved.
Updated by Jim Pingle over 3 years ago
- Related to Regression #12245: Input validation error in system.php added
Updated by Viktor Gurov over 3 years ago
- Status changed from Resolved to Feedback
re-test required after #12245
Updated by Danilo Zrenjanin over 3 years ago
- Status changed from Feedback to Resolved
Re-tested on the:
2.6.0-DEVELOPMENT (amd64) built on Sat Aug 21 01:10:46 EDT 2021 FreeBSD 12.2-STABLE
Works fine.
Ticket resolved.
Updated by Jim Pingle over 3 years ago
- Subject changed from Remote syslog server input validation passes invalid values to Remote log server input validation allows invalid values
- Category changed from Web Interface to Logging
Updating subject for release notes.
Updated by Jim Pingle about 3 years ago
- Plus Target Version changed from 21.09 to 22.01