From b7281ffc1a98d7724d97385c99bd802b526ee0c2 Mon Sep 17 00:00:00 2001
From: jim-p <jimp@netgate.com>
Date: Fri, 25 Oct 2019 08:53:53 -0400
Subject: [PATCH] pfBlockerNG log download validation. Fixes #9846

Submitted By: BBcan177

(cherry picked from commit 38be8c32b1638b230310c0a547532b74609a31bc)
---
 net/pfSense-pkg-pfBlockerNG-devel/Makefile    |  2 +-
 .../local/www/pfblockerng/pfblockerng_log.php | 26 ++++++++++++++++-
 net/pfSense-pkg-pfBlockerNG/Makefile          |  2 +-
 .../local/www/pfblockerng/pfblockerng_log.php | 28 +++++++++++++++++--
 4 files changed, 53 insertions(+), 5 deletions(-)

diff --git a/net/pfSense-pkg-pfBlockerNG-devel/Makefile b/net/pfSense-pkg-pfBlockerNG-devel/Makefile
index c6d15d0ae602..4b361ad1d95e 100644
--- a/net/pfSense-pkg-pfBlockerNG-devel/Makefile
+++ b/net/pfSense-pkg-pfBlockerNG-devel/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	pfSense-pkg-pfBlockerNG-devel
 PORTVERSION=	2.2.5
-PORTREVISION=	25
+PORTREVISION=	26
 CATEGORIES=	net
 MASTER_SITES=	# empty
 DISTFILES=	# empty
diff --git a/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/www/pfblockerng/pfblockerng_log.php b/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/www/pfblockerng/pfblockerng_log.php
index 32395dc09a79..7691ea5b0bab 100644
--- a/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/www/pfblockerng/pfblockerng_log.php
+++ b/net/pfSense-pkg-pfBlockerNG-devel/files/usr/local/www/pfblockerng/pfblockerng_log.php
@@ -192,6 +192,22 @@ function pfb_htmlspecialchars($line) {
 	return htmlspecialchars($line, ENT_NOQUOTES);
 }
 
+// Function to validate file/path
+function pfb_validate_filepath($validate, $pfb_logtypes) {
+
+	$allowed_path = array();
+	foreach ($pfb_logtypes as $type) {
+		$allowed_path[$type['logdir']] = '';
+	}
+
+	$path = pathinfo($validate, PATHINFO_DIRNAME) . '/';
+	$file = basename($validate);
+
+	if ($path == '/var/unbound/' && $file != 'pfb_dnsbl.conf') {
+		return FALSE;
+	}
+	return isset($allowed_path[$path]);
+}
 
 $pconfig = array();
 if ($_POST) {
@@ -202,6 +218,10 @@ function pfb_htmlspecialchars($line) {
 if ($_REQUEST['ajax']) {
 	clearstatcache();
 	$pfb_logfilename = htmlspecialchars($_REQUEST['file']);
+	if (!pfb_validate_filepath($pfb_logfilename, $pfb_logtypes)) {
+		print ("|0|" . gettext('Invalid filename/path') . ".|");
+		exit;
+	}
 
 	// Load log
 	if ($_REQUEST['action'] == 'load') {
@@ -222,7 +242,11 @@ function pfb_htmlspecialchars($line) {
 
 // Download/Clear logfile
 if ($pconfig['logFile'] && ($pconfig['download'] || $pconfig['clear'])) {
-	$s_logfile = $pconfig['logFile'];
+	$s_logfile = htmlspecialchars($pconfig['logFile']);
+	if (!pfb_validate_filepath($s_logfile, $pfb_logtypes)) {
+		print ("|0|" . gettext('Invalid filename/path') . ".|");
+		exit;
+	}
 
 	// Clear selected file
 	if ($pconfig['clear']) {
diff --git a/net/pfSense-pkg-pfBlockerNG/Makefile b/net/pfSense-pkg-pfBlockerNG/Makefile
index 367089526c1c..6c56af586093 100644
--- a/net/pfSense-pkg-pfBlockerNG/Makefile
+++ b/net/pfSense-pkg-pfBlockerNG/Makefile
@@ -2,7 +2,7 @@
 
 PORTNAME=	pfSense-pkg-pfBlockerNG
 PORTVERSION=	2.1.4
-PORTREVISION=	17
+PORTREVISION=	18
 CATEGORIES=	net
 MASTER_SITES=	# empty
 DISTFILES=	# empty
diff --git a/net/pfSense-pkg-pfBlockerNG/files/usr/local/www/pfblockerng/pfblockerng_log.php b/net/pfSense-pkg-pfBlockerNG/files/usr/local/www/pfblockerng/pfblockerng_log.php
index f3b9722c9562..33868644ec4f 100644
--- a/net/pfSense-pkg-pfBlockerNG/files/usr/local/www/pfblockerng/pfblockerng_log.php
+++ b/net/pfSense-pkg-pfBlockerNG/files/usr/local/www/pfblockerng/pfblockerng_log.php
@@ -4,7 +4,7 @@
  *
  * part of pfSense (https://www.pfsense.org)
  * Copyright (c) 2016 Rubicon Communications, LLC (Netgate)
- * Copyright (c) 2015-2016 BBcan177@gmail.com
+ * Copyright (c) 2015-2019 BBcan177@gmail.com
  * All rights reserved.
  *
  * Portions of this code are based on original work done for the
@@ -165,6 +165,22 @@ function pfb_htmlspecialchars($line) {
 	return htmlspecialchars($line, ENT_NOQUOTES);
 }
 
+// Function to validate file/path
+function pfb_validate_filepath($validate, $pfb_logtypes) {
+
+	$allowed_path = array();
+	foreach ($pfb_logtypes as $type) {
+		$allowed_path[$type['logdir']] = '';
+	}
+
+	$path = pathinfo($validate, PATHINFO_DIRNAME) . '/';
+	$file = basename($validate);
+
+	if ($path == '/var/unbound/' && $file != 'pfb_dnsbl.conf') {
+		return FALSE;
+	}
+	return isset($allowed_path[$path]);
+}
 
 $pconfig = array();
 if ($_POST) {
@@ -175,6 +191,10 @@ function pfb_htmlspecialchars($line) {
 if ($_REQUEST['ajax']) {
 	clearstatcache();
 	$pfb_logfilename = htmlspecialchars($_REQUEST['file']);
+	if (!pfb_validate_filepath($pfb_logfilename, $pfb_logtypes)) {
+		print ("|0|" . gettext('Invalid filename/path') . ".|");
+		exit;
+	}
 
 	// Load log
 	if ($_REQUEST['action'] == 'load') {
@@ -195,7 +215,11 @@ function pfb_htmlspecialchars($line) {
 
 // Download/Clear logfile
 if ($pconfig['logFile'] && ($pconfig['download'] || $pconfig['clear'])) {
-	$s_logfile = $pconfig['logFile'];
+	$s_logfile = htmlspecialchars($pconfig['logFile']);
+	if (!pfb_validate_filepath($s_logfile, $pfb_logtypes)) {
+		print ("|0|" . gettext('Invalid filename/path') . ".|");
+		exit;
+	}
 
 	// Clear selected file
 	if ($pconfig['clear']) {