OPNSense/core 803b2fasrc/opnsense/mvc/app/models/OPNsense/OpenVPN OpenVPN.xml

VPN: OpenVPN: Instances - partially revert https://github.com/opnsense/core/commit/6c3be9a11699879fe50aea1c30e50de5864601d7 and add a specific regex constraint for static keys (alphanum, line endings, minus signs and hashes)

closes https://github.com/opnsense/core/issues/10483
DeltaFile
+3-2src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
+3-21 files

OPNSense/core d9ac167src/etc config.xml.sample

config.xml.sample - fix default to use mvc firewall rules.

uuid's are omitted intentionally as the initial migration will generate a unique one automatically.
DeltaFile
+61-24src/etc/config.xml.sample
+61-241 files

OPNSense/core c997621src/opnsense/mvc/app/views/OPNsense/Core firmware.volt, src/opnsense/scripts/firmware latest.php

firmware: support for patch release matching
DeltaFile
+2-2src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt
+1-1src/opnsense/scripts/firmware/latest.php
+3-32 files

OPNSense/core 527412c. plist

pkg: fix plist
DeltaFile
+1-1plist
+1-11 files

OPNSense/core a730be4src/opnsense/mvc/app/controllers/OPNsense/Base ApiMutableModelControllerBase.php, src/opnsense/scripts/filter list_legacy_rules.php

php85 - some minor issues foud while testing firewall rules migration
DeltaFile
+1-1src/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php
+1-1src/opnsense/scripts/filter/list_legacy_rules.php
+2-22 files

OPNSense/core fbfac13. plist, src/opnsense/mvc/app/controllers/OPNsense/Interfaces/forms dialogAssignment.xml

Interfaces: Assignments - minor usability improvements.

* show "hint" when editing an interface without a description
* add lock toggle and set to locked by default.
* show identifier by default in grid and edit dialog

as discussed in https://github.com/opnsense/core/pull/10476
DeltaFile
+45-0src/opnsense/mvc/app/models/OPNsense/Interfaces/FieldTypes/IfDescField.php
+17-11src/opnsense/mvc/app/controllers/OPNsense/Interfaces/forms/dialogAssignment.xml
+1-8src/opnsense/mvc/app/views/OPNsense/Interface/assignment.volt
+5-1src/opnsense/mvc/app/models/OPNsense/Interfaces/NetworkInterface.xml
+4-0src/opnsense/mvc/app/models/OPNsense/Interfaces/NetworkInterface.php
+1-0plist
+73-206 files

OPNSense/core e7c5cd2src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes BaseField.php

mvc: BaseField: in getNodes, emit descriptions as well when they're not the same as the value to match getNodeContent()'s behavior.

ref: https://github.com/opnsense/core/pull/10476
DeltaFile
+11-2src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/BaseField.php
+11-21 files

OPNSense/core 9e47011src/opnsense/mvc/app/models/OPNsense/Monit Monit.xml

monit: allow spaces in places

Monit model never had a security concept and GHSA-fq94-cxvc-9r7w made
sure to restrict the fields, but went a bit too far with them.

PR: https://forum.opnsense.org/index.php?topic=52263.0
(cherry picked from commit b86fb99465d9faa603040c8b3af36e09067e24e0)
DeltaFile
+3-0src/opnsense/mvc/app/models/OPNsense/Monit/Monit.xml
+3-01 files

OPNSense/core f674f4fsrc/opnsense/mvc/app/models/OPNsense/Core ACL.php

System: Access: Users - hasPrivilege not merging user privs correctly.

PR: GHSA-p9pr-782r-w2xw
(cherry picked from commit e15a884973746319e79bd2cd421e8a015cc3ddb9)
DeltaFile
+1-1src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+1-11 files

OPNSense/core 82aaab1src/opnsense/mvc/app/models/OPNsense/Firewall/Menu Menu.php

Firewall: fix some small issues in menu registration, taking under account the situations where legacy removed the items leading to config.xml like:

  <filter>
    <rule/>
  </filter>

And mvc Filter->rules always being there (the container vs the entries)

(cherry picked from commit bf08cc48326216eca7703a93b06f10825e64ae43)
DeltaFile
+4-3src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.php
+4-31 files

OPNSense/core e15a884src/opnsense/mvc/app/models/OPNsense/Core ACL.php

System: Access: Users - hasPrivilege not merging user privs correctly.

PR: GHSA-p9pr-782r-w2xw
DeltaFile
+1-1src/opnsense/mvc/app/models/OPNsense/Core/ACL.php
+1-11 files

OPNSense/core 766cb88src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api SourceNatController.php

Firewall: NAT: Source NAT: Fix automatic rules not displayed for PPPoE interfaces, flatten automatic rules into two per WAN type interface (#10482)
DeltaFile
+67-67src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
+67-671 files

OPNSense/core 72b8c5fsrc/opnsense/mvc/app/models/OPNsense/Core/ACL ACL.xml

ACL: cleanup some user ACL's for simplicity and overlap.
DeltaFile
+4-14src/opnsense/mvc/app/models/OPNsense/Core/ACL/ACL.xml
+4-141 files

OPNSense/core f22884esrc/opnsense/mvc/app/controllers/OPNsense/Firewall/Api SourceNatController.php

Firewall: NAT: Source NAT: Fix automatic rules not displayed for PPPoE interfaces, flatten automatic rules into two per WAN type interface
DeltaFile
+67-67src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/SourceNatController.php
+67-671 files

OPNSense/core bf08cc4src/opnsense/mvc/app/models/OPNsense/Firewall/Menu Menu.php

Firewall: fix some small issues in menu registration, taking under account the situations where legacy removed the items leading to config.xml like:

  <filter>
    <rule/>
  </filter>

And mvc Filter->rules always being there (the container vs the entries)
DeltaFile
+4-3src/opnsense/mvc/app/models/OPNsense/Firewall/Menu/Menu.php
+4-31 files

OPNSense/core b86fb99src/opnsense/mvc/app/models/OPNsense/Monit Monit.xml

monit: allow spaces in places

Monit model never had a security concept and GHSA-fq94-cxvc-9r7w made
sure to restrict the fields, but went a bit too far with them.

PR: https://forum.opnsense.org/index.php?topic=52263.0
DeltaFile
+3-0src/opnsense/mvc/app/models/OPNsense/Monit/Monit.xml
+3-01 files

OPNSense/core 03ac142src/opnsense/www/js opnsense_bootgrid.js

bootgrid: test disabling scroll
DeltaFile
+4-3src/opnsense/www/js/opnsense_bootgrid.js
+4-31 files

OPNSense/core 10a2749src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes PortField.php, src/opnsense/mvc/tests/app/models/OPNsense/Base/FieldTypes PortFieldTest.php

mvc: PortField now rejects whitespaces in port ranges during validation (#10478)
DeltaFile
+31-19src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/PortField.php
+14-0src/opnsense/mvc/tests/app/models/OPNsense/Base/FieldTypes/PortFieldTest.php
+45-192 files

OPNSense/core a93e6b2src/opnsense/mvc/tests/app/models/OPNsense/Base/FieldTypes PortFieldTest.php

Fix the test, I wanted to see if it worked but forgot to update it that it didn't fire
DeltaFile
+1-1src/opnsense/mvc/tests/app/models/OPNsense/Base/FieldTypes/PortFieldTest.php
+1-11 files

OPNSense/core 9369ef5src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes PortField.php, src/opnsense/mvc/tests/app/models/OPNsense/Base/FieldTypes PortFieldTest.php

mvc: PortField now rejects whitespaces in port ranges during validation
DeltaFile
+31-19src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/PortField.php
+14-0src/opnsense/mvc/tests/app/models/OPNsense/Base/FieldTypes/PortFieldTest.php
+45-192 files

OPNSense/core c930ab5src/opnsense/scripts/syslog lockout_handler, src/opnsense/service/templates/OPNsense/Syslog syslog-ng-lockout.conf

system: lockout: address newline injection and correct IP parsing

PR: GHSA-2v2x-m4j7-76pv
(cherry picked from commit 8bdaad95f405f4587bb83bf35aa652ca493cc2a4)
DeltaFile
+5-0src/opnsense/service/templates/OPNsense/Syslog/syslog-ng-lockout.conf
+1-1src/opnsense/scripts/syslog/lockout_handler
+6-12 files

OPNSense/core 631e147src/opnsense/mvc/app/controllers/OPNsense/Base ApiMutableModelControllerBase.php

mvc: checkAndThrowValueInUse validate input token which may only contain alphanum and dashes

PR: GHSA-98h6-479q-9q3w
(cherry picked from commit d7054cef69f72588feac1091254960835be19dfe)
DeltaFile
+3-1src/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php
+3-11 files

OPNSense/core adcb02fsrc/www system_advanced_admin.php

System: Settings: Administration - add missing legacy_html_escape_form_data for $a_cert

PR: GHSA-8pgr-x852-qx4j
(cherry picked from commit 9d0a590e9c49f4374a5539929b366123f63bc9eb)
DeltaFile
+1-0src/www/system_advanced_admin.php
+1-01 files

OPNSense/core a92d951src/etc/inc/plugins.inc.d ntpd.inc, src/www services_ntpd_gps.php

network time: fix stored XSS in GPS init string display

Squelch a PHP warning and change the way the default init
command string is used.

PR: GHSA-h793-67jm-j4m5
(cherry picked from commit ed04a154dc40967541be1388e9134e451be4199e)
DeltaFile
+3-2src/www/services_ntpd_gps.php
+2-1src/etc/inc/plugins.inc.d/ntpd.inc
+5-32 files

OPNSense/core 5e6313fsrc/opnsense/mvc/app/views/OPNsense/Firewall filter_rule.volt nat_rule.volt

firewall: escape user-controlled values in tooltip attributes

PR: GHSA-2xrm-p255-p43h
(cherry picked from commit fb3b8a07f407ce281b1dde748706acbb0bc514ce)
DeltaFile
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/filter_rule.volt
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+4-42 files

OPNSense/core e7fbfaasrc/opnsense/scripts/filter/lib/alias geoip.py

Firewall: Aliases - safeguard ISO country codes in alias download

PR: GHSA-wjqq-rfmm-v5h3
(cherry picked from commit c46aced9c47d956167e294911113bc334fea5f48)
DeltaFile
+2-2src/opnsense/scripts/filter/lib/alias/geoip.py
+2-21 files

OPNSense/core 11180dasrc/opnsense/mvc/app/views/OPNsense/OpenVPN status.volt, src/opnsense/www/js/widgets OpenVPNClients.js

openvpn: escape client common_name in connection-status views (stored XSS)

The OpenVPN connection-status widget and the connection-status page render
the client common_name into an HTML attribute (data-common-name /
data-common_name) without escaping the double quote, so a common_name
containing a quote breaks out of the attribute. With username-as-common-name
plus a RADIUS/LDAP backend the common_name is an attacker-chosen value.
Escape the quote before placing it in the attribute.

PR: GHSA-26cj-h9rj-g5pf
(cherry picked from commit e7b2ac8093f804bef8eb88dfa9a0d99fad00c12b)
DeltaFile
+1-1src/opnsense/mvc/app/views/OPNsense/OpenVPN/status.volt
+1-1src/opnsense/www/js/widgets/OpenVPNClients.js
+2-22 files

OPNSense/core 3af4961src/etc/inc/plugins.inc.d openvpn.inc, src/opnsense/mvc/app/models/OPNsense/OpenVPN OpenVPN.xml

openvpn: prevent path traversal in "common_name" attribute

PR: GHSA-2m9v-p7r9-gfcw
(cherry picked from commit 6101b3e2c90482111f420a47775c14a447441a72)
DeltaFile
+3-2src/etc/inc/plugins.inc.d/openvpn.inc
+3-1src/opnsense/mvc/app/models/OPNsense/OpenVPN/OpenVPN.xml
+6-32 files

OPNSense/core 52b18e6src/opnsense/mvc/app/models/OPNsense/Dnsmasq Dnsmasq.xml, src/opnsense/mvc/app/models/OPNsense/Firewall Filter.xml

src: configuration line injection via multiple GUI text fields

PR: GHSA-fq94-cxvc-9r7w
Co-authored-by: Franco Fichtner <franco at opnsense.org>
(cherry picked from commit 6c3be9a11699879fe50aea1c30e50de5864601d7)
DeltaFile
+23-20src/opnsense/mvc/app/models/OPNsense/Monit/Monit.xml
+24-9src/opnsense/mvc/app/models/OPNsense/Unbound/Unbound.xml
+8-6src/www/system_general.php
+6-4src/opnsense/mvc/app/models/OPNsense/Dnsmasq/Dnsmasq.xml
+4-4src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+4-4src/opnsense/mvc/app/models/OPNsense/IPsec/Swanctl.xml
+69-477 files not shown
+90-5913 files

OPNSense/core fb3b8a0src/opnsense/mvc/app/views/OPNsense/Firewall filter_rule.volt nat_rule.volt

firewall: escape user-controlled values in tooltip attributes

PR: GHSA-2xrm-p255-p43h
DeltaFile
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/filter_rule.volt
+2-2src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+4-42 files