From 308173ba5281de704aa1deab3625e59bfcf4b73a Mon Sep 17 00:00:00 2001
From: Guillaume Mazoyer <gmazoyer@gravitons.in>
Date: Thu, 18 Feb 2016 10:57:58 +0100
Subject: Reject AS path regex containing ; and ".

An AS path regex will be considered as invalid if any of the ; and "
characters are used. These characters could be used to inject arbitrary
command due to the router command line interpretation.

This is a temporary fix for issue #13 while waiting for something better.
---
 includes/config.defaults.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'includes/config.defaults.php')

diff --git a/includes/config.defaults.php b/includes/config.defaults.php
index 9b7defe..6473aa4 100644
--- a/includes/config.defaults.php
+++ b/includes/config.defaults.php
@@ -122,7 +122,7 @@ $config = array(
     'as-path-regex' => array(
       'command' => 'show route as-path-regex AS_PATH_REGEX',
       'description' => 'Show the routes matching the given AS path regular expression.',
-      'parameter' => 'The parameter must be a valid AS path regular expression.<br />Please note that these expression can change depending on the router and its software.<br /><br />Here are some examples:<ul><li><strong>Juniper</strong> - ^AS1 AS2 .*$</li><li><strong>Cisco</strong> - ^AS1_</li><li><strong>BIRD</strong> - AS1 AS2 AS3 &hellip; ASZ</li></ul><br />You may find some help with the following link:<br /><ul><li><a href="http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-route-aspath-regex.html" title="Juniper Documentation">Juniper Documentation</a></li><li><a href="http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/26634-bgp-toc.html#asregexp" title="Cisco Documentation">Cisco Documentation</a></li><li><a href="http://bird.network.cz/?get_doc&f=bird-5.html" title="BIRD Documentation">BIRD Documentation</a> (search for bgpmask)</li></ul>'
+      'parameter' => 'The parameter must be a valid AS path regular expression and must not contain any " characters (the input will be automatically quoted if needed).<br />Please note that these expressions can change depending on the router and its software.<br /><br />Here are some examples:<ul><li><strong>Juniper</strong> - ^AS1 AS2 .*$</li><li><strong>Cisco</strong> - ^AS1_</li><li><strong>BIRD</strong> - AS1 AS2 AS3 &hellip; ASZ</li></ul><br />You may find some help with the following link:<br /><ul><li><a href="http://www.juniper.net/techpubs/en_US/junos13.3/topics/reference/command-summary/show-route-aspath-regex.html" title="Juniper Documentation">Juniper Documentation</a></li><li><a href="http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/26634-bgp-toc.html#asregexp" title="Cisco Documentation">Cisco Documentation</a></li><li><a href="http://bird.network.cz/?get_doc&f=bird-5.html" title="BIRD Documentation">BIRD Documentation</a> (search for bgpmask)</li></ul>'
     ),
     // Documentation for the 'as' query
     'as' => array(
-- 
cgit v1.2.3