src: add portable url_safe() like we have exec_safe(); closes #1068

(cherry picked from commit 35ec2adc) (cherry picked from commit f52dd530) (cherry picked from commit 54ec6487)

src: add portable url_safe() like we have exec_safe(); closes #1068
(cherry picked from commit 35ec2adc) (cherry picked from commit f52dd530) (cherry picked from commit 54ec6487)
f2219ed4 · Franco Fichtner · ecdba588 · f2219ed4 · f2219ed4 · f2219ed4
Commit f2219ed4 authored Aug 22, 2016 by Franco Fichtner
5 changed files
--- a/src/etc/inc/util.inc
+++ b/src/etc/inc/util.inc
@@ -988,6 +988,21 @@ function log_error($error)
    syslog(LOG_ERR, "$page: $error");
 }
+function url_safe($format, $args = array())
+{
+    if (!is_array($args)) {
+        /* just in case there's only one argument */
+        $args = array($args);
+    }
+    foreach ($args as $id => $arg) {
+        $args[$id] = urlencode($arg);
+    }
+    return vsprintf($format, $args);
+}
 /****f* util/exec_command
 * NAME
 *   exec_command - Execute a command and return a string of the result.

--- a/src/www/status_wireless.php
+++ b/src/www/status_wireless.php
@@ -33,19 +33,19 @@ require_once("interfaces.inc");
 if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    if(!empty($_GET['if'])) {
-        $if = htmlspecialchars($_GET['if']);
+        $if = $_GET['if'];
    }
    if (!empty($_GET['savemsg']) && $_GET['savemsg'] == 'rescan') {
        $savemsg = gettext("Rescan has been initiated in the background. Refresh this page in 10 seconds to see the results.");
    }
 } elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
    if (!empty($_POST['if'])) {
-        $if = htmlspecialchars($_POST['if']);
+        $if = $_POST['if'];
    }
    $rwlif = escapeshellarg(get_real_interface($if));
    if(!empty($_POST['rescanwifi'])) {
-        mwexec_bg("/sbin/ifconfig {$rwlif} scan 2>&1");
+        mwexecf_bg('/sbin/ifconfig %s scan', $rwlif);
-        header("Location: status_wireless.php?if=" . $if. "&savemsg=rescan");
+        header(url_safe('Location: status_wireless.php?if=%s&savemsg=rescan', $if));
        exit;
    }
 }
@@ -86,7 +86,7 @@ include("head.inc");
 ?>
        <div class="content-box">
          <form method="post" name="iform" id="iform">
-            <input type="hidden" name="if" id="if" value="<?=$if;?>">
+            <input type="hidden" name="if" id="if" value="<?= html_safe($if) ?>">
            <header class="content-box-head container-fluid">
              <h3><?=gettext("Nearby access points or ad-hoc peers"); ?></h3>
            </header>

--- a/src/www/system_usermanager.php
+++ b/src/www/system_usermanager.php
@@ -173,7 +173,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            unset($a_user[$id]);
            write_config();
            $savemsg = sprintf(gettext('The user "%s" was successfully removed.'), $userdeleted);
-            header("Location: system_usermanager.php?savemsg=".$savemsg);
+            header(url_safe('Location: system_usermanager.php?savemsg=%s', $savemsg));
            exit;
        }
    } elseif ($act == "delcert" && isset($id)) {
@@ -183,7 +183,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        unset($a_user[$id]['cert'][$pconfig['certid']]);
        write_config();
        $savemsg = sprintf(gettext('The certificate association "%s" was successfully removed.'), $certdeleted);
-        header("Location: system_usermanager.php?savemsg=".$savemsg."&act=edit&userid=".$id);
+        header(url_safe('Location: system_usermanager.php?savemsg=%s&act=edit&userid=%s', array($savemsg, $id)));
        exit;
    } elseif ($act == "newApiKey" && isset($id)) {
        // every action is using the sequence of the user, to keep it understandable, we will use
@@ -209,7 +209,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            $savemsg = gettext('No API key found');
        }
        // redirect
-        header("Location: system_usermanager.php?savemsg=".$savemsg."&act=edit&userid=".$id);
+        header(url_safe('Location: system_usermanager.php?savemsg=%s&act=edit&userid=%s', array($savemsg, $id)));
        exit;
    } elseif (isset($pconfig['save'])) {
        // save user
@@ -347,17 +347,17 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            if (!empty($pconfig['chkNewCert'])) {
                // redirect to cert manager when a new cert is requested for this user
-                header("Location: system_certmanager.php?act=new&userid=".(count($a_user)-1));
+                header(url_safe('Location: system_certmanager.php?act=new&userid=%s', count($a_user) - 1));
            } else {
-                header("Location: system_usermanager.php");
+                header(url_safe('Location: system_usermanager.php'));
                exit;
            }
        }
    } elseif (isset($id)) {
-        header("Location: system_usermanager.php?userid=".$id);
+        header(url_safe('Location: system_usermanager.php?userid=%s', $id));
        exit;
    } else {
-        header("Location: system_usermanager.php");
+        header(url_safe('Location: system_usermanager.php'));
        exit;
    }
 }

--- a/src/www/system_usermanager_addprivs.php
+++ b/src/www/system_usermanager_addprivs.php
@@ -52,7 +52,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
        $input_type = "group";
        $id = $_GET['groupid'];
    } else {
-        header("Location: system_usermanager.php");
+        header(url_safe('Location: system_usermanager.php'));
        exit;
    }
    if ($input_type == "group") {
@@ -80,7 +80,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            $retval = write_config();
            $savemsg = get_std_save_message();
-            header("Location: system_usermanager.php?act=edit&userid=".$userid."&savemsg=".$savemsg);
+            header(url_safe('Location: system_usermanager.php?act=edit&userid=%s&savemsg=%s', array($userid, $savemsg)));
            exit;
        } elseif ($_POST['input_type'] == 'group' && isset($config['system']['group'][$pconfig['id']]['name'])) {
            $groupid = $_POST['id'];
@@ -101,11 +101,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            }
            write_config();
-            header("Location: system_groupmanager.php?act=edit&groupid={$groupid}");
+            header(url_safe('Location: system_groupmanager.php?act=edit&groupid=%s', $groupid));
            exit;
        }
    }
-    header("Location: system_usermanager.php");
+    header(url_safe('Location: system_usermanager.php'));
    exit;
 }

--- a/src/www/vpn_ipsec_mobile.php
+++ b/src/www/vpn_ipsec_mobile.php
@@ -85,14 +85,14 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
    $pconfig = $_POST;
    if (isset($_POST['create'])) {
        // create new phase1 entry
-        header("Location: vpn_ipsec_phase1.php?mobile=true");
+        header(url_safe('Location: vpn_ipsec_phase1.php?mobile=true'));
        exit;
    } elseif (isset($_POST['apply'])) {
        // apply changes
        ipsec_configure();
        $savemsg = get_std_save_message();
        clear_subsystem_dirty('ipsec');
-        header("Location: vpn_ipsec_mobile.php?savemsg=".$savemsg);
+        header(url_safe('Location: vpn_ipsec_mobile.php?savemsg=%s', $savemsg));
        exit;
    } elseif (isset($_POST['submit'])) {
        // save form changes
@@ -173,7 +173,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
            write_config();
            mark_subsystem_dirty('ipsec');
-            header("Location: vpn_ipsec_mobile.php");
+            header(url_safe('Location: vpn_ipsec_mobile.php'));
            exit;
        }
    }