ACME: Acct key edit improvements. Fixes #12891

* urlencode account name so that trailing spaces and other chars will work properly * Make delete action use POST * Fix double confirmation prompt on delete
pfsense · Mar 3, 2022 · 29bab84 · 29bab84
1 parent 7db079f
commit 29bab84
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 11 deletions.
diff --git a/security/pfSense-pkg-acme/Makefile b/security/pfSense-pkg-acme/Makefile
@@ -2,6 +2,7 @@
 
 PORTNAME=	pfSense-pkg-acme
 PORTVERSION=	0.7
+PORTREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	# empty
 DISTFILES=	# empty

diff --git a/security/pfSense-pkg-acme/files/usr/local/www/acme/acme_accountkeys.php b/security/pfSense-pkg-acme/files/usr/local/www/acme/acme_accountkeys.php
@@ -98,8 +98,8 @@
 	}
 }
 
-if ($_GET['act'] == "del") {
-	$id = $_GET['id'];
+if ($_POST['act'] == "del") {
+	$id = $_POST['id'];
 	$id = get_accountkey_id($id);
 	if (isset($a_accountkeys[$id])) {
 		if (!$input_errors) {
@@ -175,14 +175,14 @@
 				<?=htmlspecialchars($accountkey['acmeserver']);?>
 			  </td>
 			  <td class="action-icons">
-				<button style="display: none;" class="btn btn-default btn-xs" type="submit" id="move_<?=$accountname?>" name="move_<?=$accountname?>" value="move_<?=$accountname?>"></button>
-				<a href="acme_accountkeys_edit.php?id=<?=$accountname;?>">
+				<button style="display: none;" class="btn btn-default btn-xs" type="submit" id="move_<?=urlencode($accountname)?>" name="move_<?=urlencode($accountname)?>" value="move_<?=urlencode($accountname)?>"></button>
+				<a href="acme_accountkeys_edit.php?id=<?=urlencode($accountname);?>">
 					<?=acmeicon("edit", gettext("edit"))?>
 				</a>
-				<a href="acme_accountkeys.php?act=del&amp;id=<?=$accountname;?>" onclick="return confirm('Do you really want to delete this entry?')">
+				<a href="acme_accountkeys.php?act=del&amp;id=<?=$accountname;?>" usepost>
 					<?=acmeicon("delete", gettext("delete"))?>
 				</a>
-				<a href="acme_accountkeys_edit.php?dup=<?=$accountname;?>">
+				<a href="acme_accountkeys_edit.php?dup=<?=urlencode($accountname);?>">
 					<?=acmeicon("clone", gettext("clone"))?>
 				</a>
 			  </td>

diff --git a/security/pfSense-pkg-acme/files/usr/local/www/acme/acme_accountkeys_edit.php b/security/pfSense-pkg-acme/files/usr/local/www/acme/acme_accountkeys_edit.php
@@ -49,11 +49,7 @@
 }
 $a_accountkeys = &$config['installedpackages']['acme']['accountkeys']['item'];
 
-if (isset($_POST['id'])) {
-	$id = $_POST['id'];
-} else {
-	$id = $_GET['id'];
-}
+$id = $_REQUEST['id'];
 
 if (isset($_GET['dup'])) {
 	$id = $_GET['dup'];