Safe webGUI



  • pfSense 2.0
    While booting pfSense, have error webgui starting, if any file '/usr/local/pkg/*.inc' contains php syntax error or function name
    duplication.

    This is /etc/inc/filter.inc

    
    function discover_pkg_rules($ruletype) {
    	global $config, $g, $aliases;
    
    	/* Bail if there is no pkg directory, or if the package files might be out of sync. */
    	if(!is_dir("/usr/local/pkg") || file_exists('/conf/needs_package_sync'))
    		return "";
    
    	$rules = "";
    	$files = glob("/usr/local/pkg/*.inc");
    	foreach($files as $pkg_inc) {
    		update_filter_reload_status("Checking for {$ruletype} PF hooks in package {$pkg_inc}");
    # here need safe >>
    		require_once($pkg_inc);
    		$pkg = basename($pkg_inc, ".inc");
    		$pkg_generate_rules = "{$pkg}_generate_rules";
    		if(function_exists($pkg_generate_rules)) {
    			update_filter_reload_status("Processing early {$ruletype} rules for package {$pkg_inc}");
    			$tmprules = $pkg_generate_rules("$ruletype");
    			file_put_contents("{$g['tmp_path']}/rules.test.packages", $aliases . $tmprules);
    			$status = mwexec("/sbin/pfctl -nf {$g['tmp_path']}/rules.test.packages");
    			if ($status <> 0) {
    				$errorrules = "There was an error while parsing the package filter rules for {$pkg_inc}.\n";
    				log_error($errorrules);
    				file_put_contents("{$g['tmp_path']}/rules.packages.{$pkg}", "#{$errorrules}\n");
    				continue;
    			}
    			$rules .= $tmprules;
    		}
    # here need safe >>
    	}
    	return $rules;
    }
    
    

    This is need safe code. Probably as here:

    
    # here need safe >>
    if (exec("php -l $pkg_inc") )  {
    		require_once($pkg_inc);
                    ...
    }else {
    # " package source $pkg_inc error "
    ... 
    }
    # here need safe >>
    

    Or other variant.

    Sorry for my English.
    Thanks.



  • Rebel Alliance Developer Netgate

    That has always been the case, we have tried to ensure that no packages declare the same functions with the same name.

    Code to catch exceptions may prevent the execution from stopping but it would cause unpredictable behavior if two packages had functions with the same name but different functionality.



  • In the screenshot error matching function names, but it is not so common mistake. I'm talking about the need to check the syntax of the INC files before their inclusion.

    What do you think is needed?


  • Rebel Alliance Developer Netgate

    Ah, yeah, I see what you mean now.

    I went ahead and opened ticket http://redmine.pfsense.org/issues/1310 for it.



  • Thank you for your work !!!


Log in to reply