Unbreak the DNS rebind check when accessing over IPv4
Fix the referrer checks for IPv6 addresses Ticket #1583
Fix the DNS rebind Check for IPv6 addresses Ticket #1583
Correct array key typo mistake. Ticket #1052
Ticket #1052. Enforce certificates if they are present for authenticating to ldap. Allow to select a CA under ldap type authentication backend to be used for this.
Merge remote-tracking branch 'upstream/master'
Conflicts: etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/interfaces.inc etc/inc/services.inc etc/inc/xmlrpc_client.inc usr/local/www/fbegin.inc usr/local/www/services_dhcp.php
Merge remote branch 'upstream/master'
Merge remote-tracking branch 'mainline/master' into inc
Add proper checks in auth code for testing if the section has been set in the config. Also do the same in the ugprade code
Conflicts: etc/inc/gwlb.inc
Add an IPsec xauth permission. Try to use the nologin shell first (just unlock the account). Ticket #1202
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc etc/inc/priv.defs.inc etc/inc/services.inc...
Add IPv6 support to the DNS rebinding attack function
Make it possible to turn off successful login messages, this should quiet the console, system logs
Merge branch 'master' into inc
Conflicts: etc/inc/captiveportal.inc etc/inc/config.console.inc etc/inc/config.lib.inc etc/inc/easyrule.inc etc/inc/filter.inc etc/inc/ipsec.inc etc/inc/pkg-utils.inc etc/inc/shaper.inc...
Silence warnings.
allow 127.0.0.1 and localhost for HTTP_REFERER checks
Merge remote branch 'mainline/master' into inc
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/filter.inc etc/inc/gwlb.inc etc/inc/interfaces.inc etc/inc/pfsense-utils.inc etc/inc/pkg-utils.inc...
Correct webConfgurator auth/error messages
Add log_auth() which with send items to syslogd using LOG_AUTH facilities. Use this new log_authh() for login error and success entries
Switches must come after the user name when using pw lock/unlock.
Remove authorized_keys file when there are no authorized keys for the user.
Add successful user for sshlockout
Reword auth error message to match ssh for the most part
Revert "Add Active Directory group membership checking Ticket #1009"
This reverts commit ef17372492fb3d271497160a816eba64b3bcf436.
Add Active Directory group membership checking Ticket #1009
Don't consider the HTTP referrer check as passing if it was skipped. Ticket #1027
Upon restoring a config, replacing whole sections, or editing config.xml in edit.php, prevent possible accidental lockout from DNS rebind and HTTP referrer checks by disabling them until reboot or the next time they pass, whichever comes sooner. Ticket #1027
Various fixes and improvements for the DNS rebind and HTTP referrer checks.
Add workaround for referrer check to not be triggered on the previous IP address when redirected by the setup wizard.
Conflicts: etc/inc/PEAR.inc etc/inc/filter.inc
Make sure this isn't searching the referrer using a blank host or IP, which will always match the referrer.
Fix case for testing the referrer check setting. Ticket #1011
Don't perform referer check if display_error_form is not defined (captive portal), just like as is done for the DNS rebind check. Ticket #1007
Unset this reference before reusing the variable name to prevent corruption of groups.
Fix a theoretical/potential XSS in the http_referer check warning.
Correct HTTP_REFERER check when using an IP Address vs the Firewalls hostname
Remove trailing carriage return
This will prevent HTML pages from crafting HTML GETs against the web interface and will prevent firewall admins from being "tricked" into clicking on links that may be harmful to their firewall.
Conflicts: etc/inc/auth.inc etc/inc/config.lib.inc etc/inc/priv.defs.inc etc/inc/system.inc etc/inc/upgrade_config.inc etc/inc/vpn.inc
Do not require LDAP search base DN. Requiring this can prevent some valid LDAP configurations from properly authenticating. (See GDD-550841).
Add a note to the DNS Rebinding protection error letting the user know to try by IP address.
Convert fullname field on users to descr, so it gains CDATA protection.
More gettext fixes
Fix quotes to use %N$X on gettext calls
Conflicts: etc/inc/filter.inc etc/inc/system.inc
Test before working on what could be an empty value, otherwise it ends up set and causing an unexpected duplication. Fixes duplicate groups when editing users, as reported here: http://forum.pfsense.org/index.php/topic,26612.0.html
Conflicts: etc/inc/filter.inc etc/inc/gwlb.inc
Check for proper type.
Fix gettext calls with printf to permit change strings order
Conflicts: etc/inc/interfaces.inc
Avoid a warning on this code when there is no member for a group.
Adapt to use 2.0's accounts
Implement gettext() calls on auth.inc
Make sure this variable is an array before performing array operations upon it.
Move the required once in a more appropriate place.
Don't maintain a membership for the 'all' group when it includes everyone. Just return it for everyone if the 'all' group is requested. For the count of the 'all' group, just return a count of all the users on the system. Fixes #613
Require radius.inc if the webGUI is using radius as the method.
Flip this back the other way, the group operation will fail if the user isn't set yet.
Silence this command
Add SSH tunneling privilege to list of available privileges.
Lock out shell accounts that have no OS access, or are expired/disabled.
Add check for user-ssh-tunnel to give users access to the ssh tunnel shell
Flip this test around so it is easier to follow/read.
Sync groups first, since users may rely on group changes.
Make sure a user gets deleted from the 'all' group.
Clean up this code.
Remove home directory when deleting a user.
Bypass the DNS Rebind attack checks if accessing by IP address.
Check for locally configured IPs in DNS rebind checks, so people who port forward from WAN to the LAN IP can still work.
Add a text box where someone can enter in alternate hostnames for the system to bypass the DNS rebind checks.
Add a checkbox to disable DNS rebinding checks if needed.
More fixes for DNS rebinding checks (Most of this code is Scott's, with some minor fixes by me)
Correct check
Check for 127.0.0.1 as well
Oops, correct check
Add localhost as a valid host for SSH forwarding cases
Wrap the dns rebind check in a test to see if our error function exists. If it doesn't, it's probably being called from captive portal, so skip the check. Fixes #721
Move the skel dir to /etc/skel, where it's easier to manage from a build point of view.
Slight fix to dyndns check
Check dyndns hostnames as well for DNS Rebind issues
^ Potential
Binding -> Rebinding
Comment what we are doing here and add the ticket #.
More dns-rebind checks. Ticket #708
Give users with ssh access a real shell, but make sure that admin still gets /etc/rc.initial
Set a skeleton directory for pw
Let pw handle the creation of the home directory rather than do it in php.
Give users who have "all" privileges shell access. Part of ticket #614
Remove some redundant code and make sure admin's home directory is /root - Fixes #218
Fixes #613. Add correctly users to all users group.
Do not include functions.inc just for pfSenseHeader which is not really the best place to use!
Fixes #660. Simplify some code and correctly do an exit after a redirect is issued. Thanks-to: Efonne for analysis.
Use mwexec where it does not make sense to use popen for something that does not take any parameters. Create a function to actually remove a user from its groups when the user itself is deleted.
Correct the shell for the admin account, this should be /etc/rc.initial. Not /bin/sh
Fix creation of admin user account with uid of 0. This fixes ticket #574
Allow the webui admin account to have a duplicate user ID of 0.Make sure to create that account before attempting to modify it's attributes