mvc: guard BaseField::setNodes() against a list given for a scalar leaf (#10434)
setNodes() rejects a non-array given for a container node, but the leaf branch passed any value straight to setValue(). Posting a JSON array for a scalar/AsList field therefore reached field setters that assume a string, e.g. NetworkField::setValue() does strtolower() on it. producing a fatal "TypeError: strtolower(): array given" and an uncontrolled 500.
Mirror the container guard: throw an Exception so a mis-typed request yields a controlled error with a message for the log instead of a crash.
installer: fix "stty size" returning "0 0"
This breaks the keymap selection (and possibly more), but the fix
seems easy. Some sort of ordering change with shells and login
profiles makes this not work for us on 15.x anymore but it's easy
enough to enforce via the installer launcher.
Firewall: Rules: Remove safepoint actions (#10411)
* Remove safepoint actions, no callers should be left
* Remove rollback_cancel.php and rollback_timer.php and their configd actions
system: change the services widget to a flat tile layout
Make the names of the services shown a bit shorter. The colors
are debatable but they are matchin what alerts are using in
bootstrap.
system: deriving $_SERVER['argv'] from the query string is deprecated
Only used by Nginx plugin and probably able to simplify there. It's
a bit strange in this case. Allegedly the variable has no effect on
CLI applications.
routing: fix HTTP 500 when deleting a non-existent gateway (#10429)
delGatewayAction() dereferenced the result of getNodeByReference() without a null check, so an unknown uuid reached "(string)$gateway->name" on null and raised an error, which the API renders as HTTP 500 ("Unexpected error, check log for details").
Guard the lookup and return the already-initialised {"result":"failed"} instead, matching the inherited del* verbs and the adjacent toggleGatewayAction(), which already null-check getNodeByReference().
mvc: DescriptionField: disable special and newline characters
This is only cosmetic and since the description is only used as a
label and not a note block this is fine (and could be overwridden
by the model if needed).
Interfaces/DHCP - Further tighten security for https://github.com/opnsense/core/security/advisories/GHSA-5rx3-w735-74wm
As advanced fields should always require high level access, we should prevent accidental mistakes from administrators allowing non-admins from changing these items.
In the long run, we likely want to drop these options, but that requires at least bringing back some common options which we are able to validate properly.
system: non-canonical cast (binary) is deprecated
May need to revisit this again, but for now PHP suggests that
(string) is equivalent to (binary) although the code reads
strange.
