FreeRADIUS - Add input validation (Bug #7263)

net/pfSense-pkg-freeradius2/Makefile

@@ -1,8 +1,7 @@
 # $FreeBSD$
 
 PORTNAME=	pfSense-pkg-freeradius2
-PORTVERSION=	1.7.6
-PORTREVISION=	3
+PORTVERSION=	1.7.7
 CATEGORIES=	net
 MASTER_SITES=	# empty
 DISTFILES=	# empty

net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradius.xml

@@ -154,8 +154,8 @@
 			<fieldname>varusersusername</fieldname>
 			<description>
 				<![CDATA[
-				Enter the username. Whitespace is allowed.
-				Leave empty if you want to use custom options instead of username/password .
+				Enter the username. Whitespace is allowed.<br/>
+				<span class="text-info">Note: May only contain a-z, A-Z, 0-9, underscore, period and hyphen when using OTP.</span>
 				]]>
 			</description>
 			<type>input</type>
@@ -166,7 +166,7 @@
 			<description>
 				<![CDATA[
 				Enter the password for this username.
-				Leave empty if you want to use custom options instead of username/password .
+				Leave empty if you want to use custom options (such as OTP) instead of username/password.
 				]]>
 			</description>
 			<type>password</type>
@@ -206,7 +206,8 @@
 			<fieldname>varusersmotpinitsecret</fieldname>
 			<description>
 				<![CDATA[
-				This is the generated init secret you get when you initialize the token for the first time on a client (mobile device).
+				This is the generated init secret you get when you initialize the token for the first time on a client (mobile device).<br/>
+				<span class="text-info">Note: May only contain 0-9 and a-f. Must contain at least 16 characters.</span>
 				]]>
 			</description>
 			<type>password</type>
@@ -216,7 +217,8 @@
 			<fieldname>varusersmotppin</fieldname>
 			<description>
 				<![CDATA[
-				This is the PIN the user has to enter on his mobile device to generate a one-time-password.
+				This is the PIN the user has to enter on his mobile device to generate a one-time-password.<br/>
+				<span class="text-info">May only contain a PIN consisting of 4-8 digits. Normally 4 digits are used.</span>
 				]]>
 			</description>
 			<type>password</type>
@@ -247,24 +249,24 @@
 			<type>listtopic</type>
 		</field>
 		<field>
-			<fielddescr>Number of Simultaneous Connections</fielddescr>
-			<fieldname>varuserssimultaneousconnect</fieldname>
+			<fielddescr>Redirection URL</fielddescr>
+			<fieldname>varuserswisprredirectionurl</fieldname>
 			<description>
 				<![CDATA[
-				The maximum of simultaneous connections with this username. Leave empty for no limit.<br/>
-				<span class="text-info">If using FreeRADIUS with Captive Portal you should leave this empty. Read the documentation!
-
+				Enter the URL the user should be redirected to after successful login.
+				<span class="text-info">Example: http://www.google.com</span>
 				]]>
 			</description>
 			<type>input</type>
 		</field>
 		<field>
-			<fielddescr>Redirection URL</fielddescr>
-			<fieldname>varuserswisprredirectionurl</fieldname>
+			<fielddescr>Number of Simultaneous Connections</fielddescr>
+			<fieldname>varuserssimultaneousconnect</fieldname>
 			<description>
 				<![CDATA[
-				Enter the URL the user should be redirected to after successful login.
-				<span class="text-info">Example: http://www.google.com</span>
+				The maximum of simultaneous connections with this username. Leave empty for no limit.<br/>
+				<span class="text-info">If using FreeRADIUS with Captive Portal you should leave this empty. Read the documentation!
+
 				]]>
 			</description>
 			<type>input</type>
@@ -314,7 +316,7 @@
 			<description>
 				<![CDATA[
 				<b>Framed-Route</b> must be supported by NAS.
-				<span class="text-info">Required format: Subnet Gateway Metric (e.g. 192.168.10.0 192.168.10.1 1)</span>
+				<span class="text-info">Required format: Subnet Gateway Metric(s) (e.g. 192.168.10.0/24 192.168.10.1 1)</span>
 				]]>
 			</description>
 			<type>input</type>
@@ -370,8 +372,10 @@
 				<![CDATA[
 				Enter the time when this user should have access. "Always" if no time is entered. Click Info for details.
 				<div class="infoblock">
-				Every time string contains a day (Mo, Tu, We, Th, Fr, Sa, Su) or all weekdays which is from monday till friday (Wk).<br/>
-				<code>Wk0855-2305,Sa,Su2230-0230</code> - weekdays after 8:55 AM and before 11:05 PM | any time on Saturday | Sunday after 10:30 PM and before 02:30 AM.
+				Each simple time string must begin with a day definition. That can be just one day, multiple days, or a range of days separated by a hyphen.<br/>
+				A day is Mo, Tu, We, Th, Fr, Sa or Su, or <code>Wk</code> for Mo-Fr. <code>Any</code> or <code>Al</code> means all days.</br>
+				After that, a range of hours follows in hhmm-hhmm format. A time string may be a list of simple time strings separated by <code>,</code><br/><br/>
+				Example: <code>Wk0855-2305,Sa,Su2230-0230</code> - weekdays after 8:55 AM and before 11:05 PM | any time on Saturday | Sunday after 10:30 PM and before 02:30 AM.
 				</div>
 				]]>
 			</description>
@@ -542,4 +546,7 @@
 	<custom_php_deinstall_command>
 		freeradius_deinstall_command();
 	</custom_php_deinstall_command>
+	<custom_php_validation_command>
+		freeradius_validate_users($_POST, $input_errors);
+	</custom_php_validation_command>
 </packagegui>

net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradiusauthorizedmacs.xml

@@ -224,7 +224,7 @@
 			<description>
 				<![CDATA[
 				<b>Framed-Route</b> must be supported by NAS.
-				<span class="text-info">Required format: Subnet Gateway Metric (e.g. 192.168.10.0 192.168.10.1 1)</span>
+				<span class="text-info">Required format: Subnet Gateway Metric(s) (e.g. 192.168.10.0/24 192.168.10.1 1)</span>
 				]]>
 			</description>
 			<type>input</type>
@@ -280,8 +280,10 @@
 				<![CDATA[
 				Enter the time when this MAC address should have access. "Always" if no time is entered. Click Info for details.
 				<div class="infoblock">
-				Every time string contains a day (Mo, Tu, We, Th, Fr, Sa, Su) or all weekdays which is from monday till friday (Wk).<br/>
-				<code>Wk0855-2305,Sa,Su2230-0230</code> - weekdays after 8:55 AM and before 11:05 PM | any time on Saturday | Sunday after 10:30 PM and before 02:30 AM.
+				Each simple time string must begin with a day definition. That can be just one day, multiple days, or a range of days separated by a hyphen.<br/>
+				A day is Mo, Tu, We, Th, Fr, Sa or Su, or <code>Wk</code> for Mo-Fr. <code>Any</code> or <code>Al</code> means all days.</br>
+				After that, a range of hours follows in hhmm-hhmm format. A time string may be a list of simple time strings separated by <code>,</code><br/><br/>
+				Example: <code>Wk0855-2305,Sa,Su2230-0230</code> - weekdays after 8:55 AM and before 11:05 PM | any time on Saturday | Sunday after 10:30 PM and before 02:30 AM.
 				</div>
 				]]>
 			</description>
@@ -445,4 +447,7 @@
 	<custom_php_resync_config_command>
 		freeradius_authorizedmacs_resync();
 	</custom_php_resync_config_command>
+	<custom_php_validation_command>
+		freeradius_validate_macs($_POST, $input_errors);
+	</custom_php_validation_command>
 </packagegui>

net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradiusclients.xml

@@ -234,7 +234,7 @@
 			<description>
 				<![CDATA[
 				Takes only effect if you use TCP as protocol.
-				This is the mirror of "Max Requests Server" from "Settings" tab.<br/>
+				Limits the number of simultaneous TCP connections from a client.<br/>
 				<span class="text-info">(Default 16)</span>
 				]]>
 			</description>
@@ -261,7 +261,7 @@
 				Leave empty to choose (s)radutmp. <span class="text-info">(Default: empty)</span>
 				]]>
 			</description>
-			<type>input</type>
+			<type>password</type>
 		</field>
 		<field>
 			<fielddescr>Description</fielddescr>
@@ -280,4 +280,7 @@
 	<custom_php_resync_config_command>
 		freeradius_clients_resync();
 	</custom_php_resync_config_command>
+	<custom_php_validation_command>
+		freeradius_validate_clients($_POST, $input_errors);
+	</custom_php_validation_command>
 </packagegui>

net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradiuseapconf.xml

@@ -184,7 +184,7 @@
 		<field>
 			<fielddescr>Choose Cert Manager</fielddescr>
 			<fieldname>vareapconfchoosecertmanager</fieldname>
-			<description>Check to Use pfSense Certificate Management</description>
+			<description>Check to use pfSense Certificate Management</description>
 			<sethelp>
 				<![CDATA[
 				Selects how to manage certificates.
@@ -401,7 +401,7 @@
 			<type>checkbox</type>
 		</field>
 		<field>
-			<name>EAP-TLS - Enable Cache</name>
+			<name>EAP-TLS Cache</name>
 			<type>listtopic</type>
 		</field>
 		<field>
@@ -674,4 +674,7 @@
 	<custom_php_resync_config_command>
 		freeradius_eapconf_resync();
 	</custom_php_resync_config_command>
+	<custom_php_validation_command>
+		freeradius_validate_eap($_POST, $input_errors);
+	</custom_php_validation_command>
 </packagegui>

net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradiusinterfaces.xml

@@ -199,4 +199,7 @@
 	<custom_php_resync_config_command>
 		freeradius_settings_resync();
 	</custom_php_resync_config_command>
+	<custom_php_validation_command>
+		freeradius_validate_interfaces($_POST, $input_errors);
+	</custom_php_validation_command>
 </packagegui>

net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradiusmodulesldap.xml

@@ -117,7 +117,7 @@
 			<type>listtopic</type>
 		</field>
 		<field>
-			<fielddescr>Server</fielddescr>
+			<fielddescr>Server Address</fielddescr>
 			<fieldname>varmodulesldapserver</fieldname>
 			<description>
 				<![CDATA[
@@ -130,7 +130,7 @@
 			<default_value>ldap.example.com</default_value>
 		</field>
 		<field>
-			<fielddescr>Port</fielddescr>
+			<fielddescr>Server Port</fielddescr>
 			<fieldname>varmodulesldapserverport</fieldname>
 			<description>
 				<![CDATA[
@@ -567,7 +567,7 @@
 			<type>listtopic</type>
 		</field>
 		<field>
-			<fielddescr>Enable LDAP For Authorization</fielddescr>
+			<fielddescr>LDAP Authorization Support</fielddescr>
 			<fieldname>varmodulesldap2enableauthorize</fieldname>
 			<description>Enable LDAP For Authorization (Default: unchecked)</description>
 			<sethelp>
@@ -581,7 +581,7 @@
 			<enablefields>varmodulesldap2enabletlssupport,varmodulesldap2enableauthenticate,varmodulesldap2server,varmodulesldap2identity,varmodulesldap2password,varmodulesldap2basedn,varmodulesldap2filter,varmodulesldap2basefilter,varmodulesldap2ldapconnectionsnumber,varmodulesldap2timeout,varmodulesldap2timelimit,varmodulesldap2nettimeout,varmodulesldap2msadcompatibilityenable,varmodulesldap2dmiscenable,varmodulesldap2groupenable,varmodulesldap2keepaliveidle,varmodulesldap2keepaliveprobes,varmodulesldap2keepaliveinterval</enablefields>
 		</field>
 		<field>
-			<fielddescr>Enable LDAP For Authentication</fielddescr>
+			<fielddescr>LDAP Authentication Support</fielddescr>
 			<fieldname>varmodulesldap2enableauthenticate</fieldname>
 			<description>Enable LDAP For Authentication</description>
 			<sethelp>
@@ -598,7 +598,7 @@
 			<type>listtopic</type>
 		</field>
 		<field>
-			<fielddescr>Server</fielddescr>
+			<fielddescr>Server Address</fielddescr>
 			<fieldname>varmodulesldap2server</fieldname>
 			<description>
 				<![CDATA[
@@ -611,7 +611,7 @@
 			<default_value>ldap.example.com</default_value>
 		</field>
 		<field>
-			<fielddescr>Port</fielddescr>
+			<fielddescr>Server Port</fielddescr>
 			<fieldname>varmodulesldap2serverport</fieldname>
 			<description>
 				<![CDATA[
@@ -1022,4 +1022,7 @@
 	<custom_php_resync_config_command>
 		freeradius_modulesldap_resync();
 	</custom_php_resync_config_command>
+	<custom_php_validation_command>
+		freeradius_validate_ldap($_POST, $input_errors);
+	</custom_php_validation_command>
 </packagegui>

net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradiussettings.xml

@@ -440,7 +440,7 @@
 			<description>
 				<![CDATA[
 				The resulting lifetime (in seconds) is the value entered here multiplied by 10 (i.e., 1 ~ 10s, 2 ~ 20s, 3 ~30s).<br/>
-				<span class="text-info">(Default: 2)</span>
+				<span class="text-info">Values higher than 12 are not allowed for security reasons. (Default: 2)</span>
 				]]>
 			</description>
 			<type>input</type>
@@ -451,8 +451,8 @@
 			<fieldname>varsettingsmotppasswordattempts</fieldname>
 			<description>
 				<![CDATA[
-				After this many failed attempts, the user will be locked out until an admin unlocks the user.
-				<span class="text-info">(Default: 5)</span>
+				After this many failed attempts, the user will be locked out until an admin unlocks the user.<br/>
+				<span class="text-info">Values higher than 20 are not allowed for security reasons. (Default: 5)</span>
 				]]>
 			</description>
 			<type>input</type>
@@ -525,4 +525,7 @@
 	<custom_php_resync_config_command>
 		freeradius_settings_resync();
 	</custom_php_resync_config_command>
+	<custom_php_validation_command>
+		freeradius_validate_settings($_POST, $input_errors);
+	</custom_php_validation_command>
 </packagegui>

net/pfSense-pkg-freeradius2/files/usr/local/pkg/freeradiussqlconf.xml

@@ -198,19 +198,19 @@
 			</options>
 		</field>
 		<field>
-			<fielddescr>Server IP Address</fielddescr>
+			<fielddescr>Server Address</fielddescr>
 			<fieldname>varsqlconfserver</fieldname>
 			<description>
 				<![CDATA[
-				Enter the IP address of the database server.
+				Database server FQDN or IP address.
 				<span class="text-info">(Default: localhost)</span>
 				]]>
 			</description>
 			<type>input</type>
 			<default_value>localhost</default_value>
 		</field>
 		<field>
-			<fielddescr>Server Port Address</fielddescr>
+			<fielddescr>Server Port</fielddescr>
 			<fieldname>varsqlconfport</fieldname>
 			<description>
 				<![CDATA[
@@ -636,19 +636,19 @@
 			</options>
 		</field>
 		<field>
-			<fielddescr>Server IP Address</fielddescr>
+			<fielddescr>Server Address</fielddescr>
 			<fieldname>varsqlconf2server</fieldname>
 			<description>
 				<![CDATA[
-				Enter the IP address of the database server.
+				Database server FQDN or IP address.
 				<span class="text-info">(Default: localhost)</span>
 				]]>
 			</description>
 			<type>input</type>
 			<default_value>localhost</default_value>
 		</field>
 		<field>
-			<fielddescr>Server Port Address</fielddescr>
+			<fielddescr>Server Port</fielddescr>
 			<fieldname>varsqlconf2port</fieldname>
 			<description>
 				<![CDATA[
@@ -936,4 +936,7 @@
 	<custom_php_resync_config_command>
 		freeradius_sqlconf_resync();
 	</custom_php_resync_config_command>
+	<custom_php_validation_command>
+		freeradius_validate_sql($_POST, $input_errors);
+	</custom_php_validation_command>
 </packagegui>

net/pfSense-pkg-freeradius2/files/usr/local/share/pfSense-pkg-freeradius2/info.xml

@@ -4,9 +4,9 @@
 		<name>freeradius2</name>
 		<website>http://www.freeradius.org/</website>
 		<descr><![CDATA[A free implementation of the RADIUS protocol.&lt;br /&gt;
-			Support: MySQL, PostgreSQL, LDAP, Kerberos.&lt;br /&gt;
-			FreeRADIUS and FreeRADIUS2 settings are not compatible so don't use them together or try to update.&lt;br /&gt;
-			On pfSense docs there is a how-to which could help you on porting users.]]></descr>
+			Supports MySQL, PostgreSQL, LDAP, Kerberos.
+			]]>
+		</descr>
 		<pkginfolink>https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink>
 		<version>%%PKGVERSION%%</version>
 		<configurationfile>freeradius.xml</configurationfile>

net/pfSense-pkg-freeradius2/pkg-descr

@@ -1,8 +1,4 @@
-A free implementation of the RADIUS protocol.<br />
-			Support: MySQL, PostgreSQL, LDAP, Kerberos.<br />
-			FreeRADIUS and FreeRADIUS2 settings are not compatible
-			so don't use them together or try to update.<br /> On
-			pfSense docs there is a how-to which could help you on
-			porting users.
+A free implementation of the RADIUS protocol.
+Supports MySQL, PostgreSQL, LDAP, Kerberos.
 
 WWW: https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package