Project

General

Profile

« Previous | Next » 

Revision 7505efe7

Added by Jim Pingle about 8 years ago

If a client address is in the webConfiguratorlockout table, do not allow them to access the GUI. Print an error and kill their states. Ticket #7693
Extra check to be sure that an existing open state cannot bypass lockout controls.

(cherry picked from commit cc9b0f76da4936ac7510eee6cb5e0574d11b5973)
(cherry picked from commit f0da1eda7c38c18202cc0563fd1c83c20a05e2b2)

View differences:

src/etc/inc/auth.inc
67 67 

  		




  68
  68
  
    
/* If this function doesn't exist, we're being called from Captive Portal or


  		




  69
  69
  
    
   another internal subsystem which does not include authgui.inc */


  		




  
  70
  
    
if (function_exists("display_error_form")) {


  		




  
  71
  
    
	/* Extra layer of lockout protection. Check if the user is in the GUI


  		




  
  72
  
    
	 * lockout table before processing a request */


  		




  
  73
  
    

  		




  
  74
  
    
	/* Fetch the contents of the lockout table. */


  		




  
  75
  
    
	exec("/sbin/pfctl -t 'webConfiguratorlockout' -T show", $entries);


  		




  
  76
  
    

  		




  
  77
  
    
	/* If the client is in the lockout table, print an error, kill states, and exit */


  		




  
  78
  
    
	if (in_array($_SERVER['REMOTE_ADDR'], array_map('trim', $entries))) {


  		




  
  79
  
    
		if (!security_checks_disabled()) {


  		




  
  80
  
    
			/* They may never see the error since the connection will be cut off, but try to be nice anyhow. */


  		




  
  81
  
    
			display_error_form("501", gettext("Access Denied<br/><br/>Access attempt from a temporarily locked out client address.<br /><br />Try accessing the firewall again after the lockout expires."));


  		




  
  82
  
    
			/* If they are locked out, they shouldn't have a state. Disconnect their connections. */


  		




  
  83
  
    
			$retval = pfSense_kill_states($_SERVER['REMOTE_ADDR']);


  		




  
  84
  
    
			if (is_ipaddrv4($_SERVER['REMOTE_ADDR'])) {


  		




  
  85
  
    
				$retval = pfSense_kill_states("0.0.0.0/0", $_SERVER['REMOTE_ADDR']);


  		




  
  86
  
    
			} elseif (is_ipaddrv6($_SERVER['REMOTE_ADDR'])) {


  		




  
  87
  
    
				$retval = pfSense_kill_states("::", $_SERVER['REMOTE_ADDR']);


  		




  
  88
  
    
			}


  		




  
  89
  
    
			exit;


  		




  
  90
  
    
		}


  		




  
  91
  
    
		$security_passed = false;


  		




  
  92
  
    
	}


  		




  
  93
  
    
}


  		




  
  94
  
    

  		




  70
  95
  
    
if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) {


  		




  71
  96
  
    
	/* DNS ReBinding attack prevention.  https://redmine.pfsense.org/issues/708 */


  		




  72
  97
  
    
	$found_host = false;


  		












Also available in:  Unified diff