BSD Commit Log Search

Interfaces/DHCP - Further tighten security for https://github.com/opnsense/core/security/advisories/GHSA-5rx3-w735-74wm

As advanced fields should always require high level access, we should prevent accidental mistakes from administrators allowing non-admins from changing these items.
In the long run, we likely want to drop these options, but that requires at least bringing back some common options which we are able to validate properly.

system: webgui templating more pretty

src: non-canonical cast (double) is deprecated

system: non-canonical cast (binary) is deprecated

May need to revisit this again, but for now PHP suggests that
(string) is equivalent to (binary) although the code reads
strange.

firewall: using null as an array offset is deprecated

contrib: another implicit null

src: implicitly marking parameter $chown as nullable is deprecated

Firewall: fix 500 (TypeError) on alias getItem with unknown UUID (#10417)

ipsec: validate the use of refid in CA certificates

PR: GHSA-33q4-wcv7-r8fr
(cherry picked from commit 6bc0a1df6550c419f2a44461f6595cacf2080bfa)

firewall: escape shaper targets in rule edit

PR: GHSA-m4m3-v627-wgc2
(cherry picked from commit 3de53a25fdd9b605acc82e4071e9920fa1c9b418)

mvc: strict alphanumeric-only regex for certificate refid

CVE: CVE-2026-53582
PR: GHSA-xww7-76m6-mh2r
(cherry picked from commit fc2f0d745c17855d2027b192fd4e3fa913e26859)

mvc: add new validators to TextField: AllowSpaces, AllowNewlines, AllowSpecial and introduce new StrictTextField (#10398)

(cherry picked from commit c34b7786516afb6dff7a43af92c4328225b81e69)
(cherry picked from commit 9d0e4bf2bb4fdd20f872ff612c5135a7f9115101)

dnsmasq: change widget link from settings to leases page (#10420)

(cherry picked from commit 5e8f226d49196c55cd61ba1ee8e69fbbc194a835)

firewall: fix typo that prevented queues to be selectable in pf-based traffic shaping

(cherry picked from commit 558809488e9014f3452aa7cbcf1c5555a8697846)

firewall: allow WAN as "associated interface" for NPTv6 #10413

firewall: escape shaper targets in rule edit

PR: GHSA-m4m3-v627-wgc2

firewall: fix typo that prevented queues to be selectable in pf-based traffic shaping

ipsec: validate the use of refid in CA certificates

PR: GHSA-33q4-wcv7-r8fr

mvc: strict alphanumeric-only regex for certificate refid

CVE: CVE-2026-53582
PR: GHSA-xww7-76m6-mh2r

dnsmasq: change widget link from settings to leases page (#10420)

firewall: allow WAN as "associated interface" for NPTv6 #10413

firewall: allow WAN as "associated interface" for NPTv6 #10413

firewall: allow WAN as "associated interface" for NPTv6 #10413

MVC:ui - refactor base_dialog and parseFormNode to simplify the template for https://github.com/opnsense/core/issues/9955 [2]

bugfix https://github.com/opnsense/core/commit/3d9cccfe4038802807219621ddd49cf668a05144

src: style sweep

MVC:ui - refactor base_dialog and parseFormNode to simplify the template for https://github.com/opnsense/core/issues/9955 (#10410)

Move defaults to parseFormNode() and introduce "sections" with children to avoid some more magic in the volt templates.

Set default title on multi selectpickers as these sometimes seem to miss the "Nothing selected" phrase for some odd reason.

Functionally this should be a backward compatible change.

mvc/templates - remove direct apply_btn_id usage in favor of base_apply_button template partial. discussed in https://github.com/opnsense/core/pull/10410

Eventually we want to remove apply_btn_id from base_form completely, but since base_tabs_content is using the same construct and appears in quite some plugins, we have to postpone that action.
At least aim for consistency in the forms that only depend on base_form in core.

firmware: fix return value masking during updates

This caused reboots when updates not supposed to reboot
in case base/kernel could not install.  This way since
26.1.8.

(cherry picked from commit 2e90e6fbf77202efdbd599697951e6da12b78e26)

Firewall: Rules: use strnatcasecmp() for interface list (#10412)

(cherry picked from commit 0fe799f7872cd8436fa896394dd3bb5fa03397ef)

MVC:ui - refactor base_dialog and parseFormNode to simplify the template for https://github.com/opnsense/core/issues/9955

Move defaults to parseFormNode() and introduce "sections" with children to avoid some more magic in the volt templates.

Set default title on multi selectpickers as these sometimes seem to miss the "Nothing selected" phrase for some odd reason.

Functionally this should be a backward compatible change.