Changeset 813 for trunk/cgi-bin


Ignore:
Timestamp:
03/08/16 16:08:40 (9 years ago)
Author:
Kris Deugau
Message:

/trunk

Wrap validation of backup fields in an ACL check. See #52.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/cgi-bin/main.cgi

    r811 r813  
    964964
    965965  # Backup fields.  Minimal sanity checks.
    966   for my $bkfield (qw(brand model)) {
    967     if (!$webvar{"bk$bkfield"}) {
    968       $page->param(err => "Backup $bkfield must be filled in if IP/netblock is flagged for backup");
    969       return;
    970     }
    971     if ($webvar{"bk$bkfield"} !~ /^[a-zA-Z0-9\s_.-]+$/) {
    972       $page->param(err => "Invalid characters in backup $bkfield");
    973       return;
    974     }
    975   }
    976   for my $bkfield (qw(type src user)) {  # no spaces in these!
    977     if ($webvar{"bk$bkfield"} && $webvar{"bk$bkfield"} !~ /^[a-zA-Z0-9_.-]+$/) {
    978       $page->param(err => "Invalid characters in backup $bkfield");
    979       return;
    980     }
    981   }
    982   if ($webvar{bkport}) {
    983     $webvar{bkport} =~ s/^\s+//g;
    984     $webvar{bkport} =~ s/\s+$//g;
    985     if ($webvar{bkport} !~ /^\d+$/) {
    986       $page->param(err => "Backup port must be numeric");
    987       return;
    988     }
    989   }
     966  # Bypass if the user isn't authorized for backup data, or if the checkbox is unchecked
     967  if ($IPDBacl{$authuser} =~ /s/ && defined($webvar{backupfields})) {
     968    for my $bkfield (qw(brand model)) {
     969      if (!$webvar{"bk$bkfield"}) {
     970        $page->param(err => "Backup $bkfield must be filled in if IP/netblock is flagged for backup");
     971        return;
     972      }
     973      if ($webvar{"bk$bkfield"} !~ /^[a-zA-Z0-9\s_.-]+$/) {
     974        $page->param(err => "Invalid characters in backup $bkfield");
     975        return;
     976      }
     977    }
     978    for my $bkfield (qw(type src user)) {  # no spaces in these!
     979      if ($webvar{"bk$bkfield"} && $webvar{"bk$bkfield"} !~ /^[a-zA-Z0-9_.-]+$/) {
     980        $page->param(err => "Invalid characters in backup $bkfield");
     981        return;
     982      }
     983    }
     984    if ($webvar{bkport}) {
     985      $webvar{bkport} =~ s/^\s+//g;
     986      $webvar{bkport} =~ s/\s+$//g;
     987      if ($webvar{bkport} !~ /^\d+$/) {
     988        $page->param(err => "Backup port must be numeric");
     989        return;
     990      }
     991    }
    990992##fixme:  code review:  should normalize $webvar{cidr} variants so we can
    991993# check for non-/32 allocations having the backup IP field filled in here,
    992994# instead of failing on the allocation or update attempt
    993   if ($webvar{bkip}) {
    994     $webvar{bkip} =~ s/^\s+//g;
    995     $webvar{bkip} =~ s/\s+$//g;
    996     if ($webvar{bkip} !~ /^[\da-fA-F:.]+$/) {
    997       $page->param(err => "Backup IP must be an IP");
    998       return;
    999     }
    1000   }
     995    if ($webvar{bkip}) {
     996      $webvar{bkip} =~ s/^\s+//g;
     997      $webvar{bkip} =~ s/\s+$//g;
     998      if ($webvar{bkip} !~ /^[\da-fA-F:.]+$/) {
     999        $page->param(err => "Backup IP must be an IP");
     1000        return;
     1001      }
     1002    }
     1003  } # backup
    10011004
    10021005  return 'OK';
Note: See TracChangeset for help on using the changeset viewer.