Commit 5ecd977a authored by Franco Fichtner's avatar Franco Fichtner

auth: fix HTTP_REVER checks by reverts for now

This reverts commit 92a5f77a.
This reverts commit 681f654c.
parent 811a0468
...@@ -38,7 +38,8 @@ ...@@ -38,7 +38,8 @@
/* include globals from notices.inc /utility/XML parser files */ /* include globals from notices.inc /utility/XML parser files */
require_once("radius.inc"); require_once("radius.inc");
require_once("interfaces.inc");
require_once("util.inc");
// Will be changed to false if security checks fail // Will be changed to false if security checks fail
$security_passed = true; $security_passed = true;
...@@ -147,8 +148,20 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui'][' ...@@ -147,8 +148,20 @@ if(function_exists("display_error_form") && !isset($config['system']['webgui']['
} }
if(!$found_host) { if(!$found_host) {
$found_host = isAuthLocalIP($referrer_host) ; $interface_list_ips = get_configured_ip_addresses();
foreach($interface_list_ips as $ilips) {
if(strcasecmp($referrer_host, $ilips) == 0) {
$found_host = true;
break;
}
}
$interface_list_ipv6s = get_configured_ipv6_addresses();
foreach($interface_list_ipv6s as $ilipv6s) {
if(strcasecmp($referrer_host, $ilipv6s) == 0) {
$found_host = true;
break;
}
}
if($referrer_host == "127.0.0.1" || $referrer_host == "localhost") { if($referrer_host == "127.0.0.1" || $referrer_host == "localhost") {
// allow SSH port forwarded connections and links from localhost // allow SSH port forwarded connections and links from localhost
$found_host = true; $found_host = true;
...@@ -175,35 +188,6 @@ unset($security_passed); ...@@ -175,35 +188,6 @@ unset($security_passed);
$groupindex = index_groups(); $groupindex = index_groups();
$userindex = index_users(); $userindex = index_users();
/**
* check if $http_host is a local configured ip address
*/
function isAuthLocalIP($http_host) {
global $config;
$local_ip = false;
if (isset($config['interfaces'])) {
foreach($config['interfaces'] as $if => $ifdetail) {
if (isset($ifdetail['enable'])) {
if (isset($ifdetail['ipaddr']) && $ifdetail['ipaddr'] == $http_host) {
$local_ip = true;
} elseif (isset($ifdetail['ipaddr6']) && $ifdetail['ipaddr6'] == $http_host) {
$local_ip = true;
}
}
}
}
if (isset($config['virtualip']['vip'])) {
foreach ($config['virtualip']['vip'] as $vip) {
if ($vip['subnet'] == $http_host) {
$local_ip = true;
}
}
}
return $local_ip;
}
function index_groups() function index_groups()
{ {
global $config, $groupindex; global $config, $groupindex;
......
...@@ -31,6 +31,7 @@ ...@@ -31,6 +31,7 @@
*/ */
require_once("auth.inc"); require_once("auth.inc");
require_once("filter.inc");
// provided via legacy_bindings.inc // provided via legacy_bindings.inc
global $priv_list; global $priv_list;
...@@ -397,6 +398,7 @@ function display_login_form() ...@@ -397,6 +398,7 @@ function display_login_form()
/* Check against locally configured IP addresses, which will catch when someone /* Check against locally configured IP addresses, which will catch when someone
port forwards WebGUI access from WAN to an internal IP on the router. */ port forwards WebGUI access from WAN to an internal IP on the router. */
$FilterIflist = filter_generate_optcfg_array() ;
$local_ip = false; $local_ip = false;
if (strstr($_SERVER['HTTP_HOST'], ":")) { if (strstr($_SERVER['HTTP_HOST'], ":")) {
$http_host_port = explode(":", $_SERVER['HTTP_HOST']); $http_host_port = explode(":", $_SERVER['HTTP_HOST']);
...@@ -404,10 +406,22 @@ function display_login_form() ...@@ -404,10 +406,22 @@ function display_login_form()
} else { } else {
$http_host = $_SERVER['HTTP_HOST']; $http_host = $_SERVER['HTTP_HOST'];
} }
foreach ($FilterIflist as $iflist) {
if ($iflist['ip'] == $http_host) {
$local_ip = true;
}
if ($iflist['ipv6'] == $http_host) {
$local_ip = true;
}
}
// fix, local ip check was previously done using "filter_generate_optcfg_array" which basically includes alomst everything here. if (isset($config['virtualip']['vip'])) {
// this should do the trick as well. foreach ($config['virtualip']['vip'] as $vip) {
$local_ip = isAuthLocalIP($http_host); if ($vip['subnet'] == $http_host) {
$local_ip = true;
}
}
}
if (isset($config['openvpn']['openvpn-server'])) { if (isset($config['openvpn']['openvpn-server'])) {
foreach ($config['openvpn']['openvpn-server'] as $ovpns) { foreach ($config['openvpn']['openvpn-server'] as $ovpns) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment