From c92a68f62a048c9ea2664404096b7400ba4b1e9c Mon Sep 17 00:00:00 2001
From: Ted Trask <ttrask01@yahoo.com>
Date: Tue, 7 Oct 2008 17:31:24 +0000
Subject: Modified modelfunctions library to include validation in
 get/setfiledetails.  Modified all uses to validate the file name - this was a
 major security hole.

git-svn-id: svn://svn.alpinelinux.org/acf/shorewall/trunk@1542 ab2d0c66-481e-0410-8bed-d214d4d58bed
---
 shorewall-model.lua | 23 ++++++++---------------
 1 file changed, 8 insertions(+), 15 deletions(-)

diff --git a/shorewall-model.lua b/shorewall-model.lua
index 0130b78..f3c1e50 100644
--- a/shorewall-model.lua
+++ b/shorewall-model.lua
@@ -217,29 +217,22 @@ function getfilelist ()
 	return cfe({ type="list", value=listed_files, label="Shorewall File List" })
 end
 
-function getfiledetails(filename)
-	--Validate filename
+local function is_valid_filename(filename)
 	local available_files = getfilelist()
 	for i,file in ipairs(available_files.value) do
 		if file.filename == filename then
-			return modelfunctions.getfiledetails(filename)
+			return true
 		end
 	end
-	local retval = modelfunctions.getfiledetails("")
-	retval.value.filename.value = filename
-	return retval
+	return false
+end
+
+function getfiledetails(filename)
+	return modelfunctions.getfiledetails(filename, is_valid_filename)
 end
 
 function updatefiledetails (filedetails)
-	local available_files = getfilelist()
-	for i,file in ipairs(available_files.value) do
-		if file.filename == filedetails.value.filename.value then
-			return modelfunctions.setfiledetails(filedetails)
-		end
-	end
-	filedetails.value.filename.errtxt = "Invalid Filename"
-	filedetails.errtxt = "Failed to save file"
-	return filedetails
+	return modelfunctions.setfiledetails(filedetails, is_valid_filename)
 end
 
 --[[
-- 
cgit v1.2.3