Project

General

Profile

Actions

Bug #13436

closed

Input validation on ``system_advanced_firewall.inc`` uses incorrect variable references for some fields

Added by Jared Hendrickson about 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

A few fields in /usr/local/pfSense/include/www/system_advanced_firewall.inc are being incorrectly validated.

- `adaptiveend` is incorrectly being referred to as `adaptive-end` during validation.
- `maximumstates` is incorrectly being referred to as `firewall-maximum-states` during validation.
- `aliasesresolveinterval` is incorrectly being referred to as `aliases-hostnames-resolve-interval` during validation. (On the frontend, this field also has its input type `type=text` so any arbitrary value could be entered and accepted here.)
- `maximumtableentries` is incorrectly being referred to as `firewall-maximum-table-entries` during validation, but is validated correctly further down in the file.

I searched for references to the incorrect names and only see them in this file so I'm assuming they were just leftover from a refactor at some point.

Actions #1

Updated by Jim Pingle about 2 years ago

  • Category changed from Aliases / Tables to Web Interface
  • Assignee set to Jim Pingle
  • Target version set to 2.7.0
  • Plus Target Version set to 22.11

Looks like a remnant of the Bootstrap GUI work many years ago, most fields were fixed in #5025 but those were apparently missed.

Actions #2

Updated by Jim Pingle about 2 years ago

  • Status changed from Pull Request Review to Feedback

PR merged

Actions #3

Updated by Christopher Cope about 2 years ago

Tested on

22.11-DEVELOPMENT (amd64)
built on Fri Sep 30 06:04:54 UTC 2022
FreeBSD 14.0-CURRENT

The validation seems to be working correctly now, but the 'aliasesresolveinterval' is still set as a text input on the front-end. 'maximumtableentries' & 'maximumfrags' are also set as text input, but the back-end prevents anything other than integers.

Actions #4

Updated by Jim Pingle almost 2 years ago

  • Plus Target Version changed from 22.11 to 23.01
Actions #5

Updated by Jim Pingle almost 2 years ago

  • Subject changed from Bad field validation in system_advanced_firewall.inc to Input validation on ``system_advanced_firewall.inc`` uses incorrect variable references for some fields

Updating subject for release notes.

Actions #6

Updated by Chris Linstruth almost 2 years ago

  • Status changed from Feedback to In Progress

Should this be in Feedback, Resolved, or is there more work to be done based on the last feedback?

Actions #7

Updated by Jim Pingle almost 2 years ago

  • Status changed from In Progress to Resolved
  • % Done changed from 0 to 100

This issue was specifically about the variable names being incorrect which was causing the validation to be non-functional. The type mismatch isn't fatal or preventing anything from working so I'd say that's more appropriate for a separate request.

Closing.

Actions

Also available in: Atom PDF