Bug #13493
closedSeveral advanced DHCP6 client options do not inform the user when rejecting invalid input
100%
Description
When entering "F" for example ad id-assoc pd ID in the interfaces Tab and saving it magically disappears without any error. Either an error should be shown or only numeric values should be accepted for that textbox.
Updated by Danilo Zrenjanin over 2 years ago
- Priority changed from Normal to Very Low
Yes, I can replicate this on the:
22.05-RELEASE (amd64) built on Wed Jun 22 18:56:13 UTC 2022 FreeBSD 12.3-STABLE
ID is a decimal number of IAID. If omitted, the value 0 will be used by default.
The same issue appears when defining non-numerical ID in `na' (non-temporary address allocation) and `pd'(prefix delegation) filed.
Having input validation for these fields would be helpful.
Updated by Danilo Zrenjanin over 2 years ago
- Status changed from New to Confirmed
Updated by Jim Pingle about 2 years ago
- Plus Target Version changed from 22.11 to 23.01
Updated by Jim Pingle about 2 years ago
- Assignee set to Jim Pingle
Looks like several fields get tested to ensure they are numeric ints before being stored, but don't have corresponding checks in places where they can generate input errors.
These are not all together in the code, this is just the fields I found collected together:
// Under a block of code that runs when $_POST['type6'] == "dhcp6" :
if (is_numericint($_POST['adv_dhcp6_id_assoc_statement_address_id'])) {
$wancfg['adv_dhcp6_id_assoc_statement_address_id'] = $_POST['adv_dhcp6_id_assoc_statement_address_id'];
}
if (is_numericint($_POST['adv_dhcp6_id_assoc_statement_prefix_id'])) {
$wancfg['adv_dhcp6_id_assoc_statement_prefix_id'] = $_POST['adv_dhcp6_id_assoc_statement_prefix_id'];
}
if (is_numericint($_POST['adv_dhcp6_prefix_interface_statement_sla_id'])) {
$wancfg['adv_dhcp6_prefix_interface_statement_sla_id'] = $_POST['adv_dhcp6_prefix_interface_statement_sla_id'];
}
if (is_numericint($_POST['adv_dhcp6_prefix_interface_statement_sla_len'])) {
$wancfg['adv_dhcp6_prefix_interface_statement_sla_len'] = $_POST['adv_dhcp6_prefix_interface_statement_sla_len'];
}
Updated by Jim Pingle about 2 years ago
- Status changed from Confirmed to Feedback
- % Done changed from 0 to 100
Applied in changeset 522e3f912bf849161e5a52e50fcc7fc80c3b11f5.
Updated by Flole Systems about 2 years ago
Wouldn't it be possible to limit the possible characters in the web interface aswell? Using the HTML5 attribute type="number"
it should prevent any non-numbers to be entered. Or should it be put into a separate issue as this can most likely be added at multiple other places aswell?
Updated by Jim Pingle about 2 years ago
Client-side validation in JS could probably be done to help guide users toward valid input, but that should be a separate issue if there isn't one already. Whether or not it works on that specific type of form field is the question. Ultimately we need the server-side validation in place first (this issue) because we can't trust client validation on its own, as clients themselves can be malicious.
Updated by Jim Pingle about 2 years ago
- Subject changed from "id-assoc pd ID" allows non-numbers to be entered to Several advanced DHCP6 client options do not inform the user when rejecting invalid input
Updating subject for release notes.
Updated by Jim Pingle about 2 years ago
- Status changed from Feedback to Resolved
Working as expected now