OPNSense/core 914e5a2src/opnsense/service/modules/actions script_output.py

by Ad Schellevis on ⎇
configd: change https://github.com/opnsense/core/commit/c8cd5565ec135a0111497fde2e20e3cb79324f0d seemed to have uncovered another issue when it comes to file generation, as each call generates a new tempfile, we're now keeping a lot of them.

In order to fix this behavoir, only generate the filename and reuse it when serving cached commands, which was the intention from the beginning.
DeltaFile
+15-3src/opnsense/service/modules/actions/script_output.py
+15-31 files

OPNSense/core 2c473f8src/opnsense/mvc/app/models/OPNsense/Kea KeaDdns.php KeaDhcpv4.xml

by Monviech on ⎇
Add a default for ddns_domain_algorithm inside the config generator
DeltaFile
+5-5src/opnsense/mvc/app/models/OPNsense/Kea/KeaDdns.php
+1-2src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml
+1-1src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv6.xml
+7-83 files

OPNSense/core 1ffaff8src/www firewall_nat_out.php

by Franco Fichtner on ⎇
firewall: use safe config iteration in outbound NAT page
DeltaFile
+3-4src/www/firewall_nat_out.php
+3-41 files

OPNSense/core 378b291src/www system_advanced_admin.php

by Franco Fichtner on ⎇
system: use safe config iteration in admin settings page
DeltaFile
+2-2src/www/system_advanced_admin.php
+2-21 files

OPNSense/core 00af539src/etc/inc util.inc interfaces.inc

by Franco Fichtner on ⎇
backend: mwexecfb(): "spidfile" is weird so switch "pidfile" according to "reset"
DeltaFile
+5-8src/etc/inc/util.inc
+1-1src/etc/inc/interfaces.inc
+6-92 files

OPNSense/core fc4e27dsrc/etc/inc/plugins.inc.d ipsec.inc

by Franco Fichtner on ⎇
ipsec: use safe config iteration for VIP lookup
DeltaFile
+1-1src/etc/inc/plugins.inc.d/ipsec.inc
+1-11 files

OPNSense/core c920501Mk git.mk

by Franco Fichtner on ⎇
make: improve rebase to auto-abort much like mfc target

(cherry picked from commit 45dc8a3c1fa2e8ca112c2b557e0a35b5027a0925)
DeltaFile
+1-1Mk/git.mk
+1-11 files

OPNSense/core a341678src/www interfaces_ppps_edit.php

by Franco Fichtner on ⎇
interfaces: use safe config iteration in PPP edit page
DeltaFile
+5-11src/www/interfaces_ppps_edit.php
+5-111 files

OPNSense/core 412f86csrc/www firewall_rules.php

by Franco Fichtner on ⎇
firewall: use safe iteration in old rule page for schedule lookup
DeltaFile
+5-10src/www/firewall_rules.php
+5-101 files

OPNSense/core 45dc8a3Mk git.mk

by Franco Fichtner on ⎇
make: improve rebase to auto-abort much like mfc target
DeltaFile
+1-1Mk/git.mk
+1-11 files

OPNSense/core 44b075a. LICENSE

by Franco Fichtner on ⎇
LICENSE: sync
DeltaFile
+1-1LICENSE
+1-11 files

OPNSense/core c9d7aeeMk version.mk, src/opnsense/scripts/shell restore.sh

by Franco Fichtner on ⎇
shell: improve config restore UX using diff and additional meta data display
DeltaFile
+50-8src/opnsense/scripts/shell/restore.sh
+1-0Mk/version.mk
+51-82 files

OPNSense/core 2218dd4src/opnsense/scripts/monit gateway_alert.php

by Franco Fichtner on ⎇
monit: use safe config iteration in gateway alert script
DeltaFile
+17-19src/opnsense/scripts/monit/gateway_alert.php
+17-191 files

OPNSense/core a21e0e2src/opnsense/scripts/kea kea_prefix_watcher.py

by Monviech via Franco Fichtner on ⎇
kea: kea_prefix_watcher guard when no link-local address exists for a route that should be installed (#9905)

(cherry picked from commit dddecb4ca7aa80d59abab1a4e940324d14963d94)
DeltaFile
+6-0src/opnsense/scripts/kea/kea_prefix_watcher.py
+6-01 files

OPNSense/core c0e911csrc/opnsense/scripts/filter read_log.py

by Franco Fichtner on ⎇
firewall: fix SyntaxWarning, perhaps a Python 3.13 side effect

See: https://docs.python.org/3/library/re.html
PR: https://forum.opnsense.org/index.php?topic=51226.0
(cherry picked from commit 92e0d5a96fbe2befb41e7d3a151d5b734497f7eb)
DeltaFile
+1-1src/opnsense/scripts/filter/read_log.py
+1-11 files

OPNSense/core b1e5779src/opnsense/mvc/app/views/OPNsense/Diagnostics fw_log.volt

by Stephan de Wit via Franco Fichtner on ⎇
firewall: live view: allow regex use in 'contains' cases

https://forum.opnsense.org/index.php?topic=51226.0
(cherry picked from commit 41664263de3f4fe211d0e7af9d0a471c300ceb21)
DeltaFile
+14-5src/opnsense/mvc/app/views/OPNsense/Diagnostics/fw_log.volt
+14-51 files

OPNSense/core 1041151src/opnsense/mvc/app/models/OPNsense/Firewall DNat.php

by Monviech via Franco Fichtner on ⎇
Firewall: NAT: Destination NAT: Add model validations for common errors (#9885)

(cherry picked from commit 4c5fa27a00a10b1f5612549d32df1c60fc4e0620)
DeltaFile
+37-1src/opnsense/mvc/app/models/OPNsense/Firewall/DNat.php
+37-11 files

OPNSense/core ce11ba9src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes InterfaceField.php CertificateField.php

by Franco Fichtner on ⎇
mvc: BaseListField $hash access to static options #9816

Also make $internalStaticOptList private and reshuffle the callers
for maximum effect.

(cherry picked from commit feee43402d946e5c3799d412a77f7a5801f822c3)
DeltaFile
+78-78src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/InterfaceField.php
+17-17src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/CertificateField.php
+95-952 files

OPNSense/core 52a9cfcsrc/opnsense/mvc/app/models/OPNsense/Base/FieldTypes InterfaceField.php CertificateField.php, src/opnsense/mvc/tests/app/models/OPNsense/Base/FieldTypes InterfaceFieldTest.php CertificateFieldTest.php

by Franco Fichtner on ⎇
mvc: move CertificateField and InterfaceField to newer static option API for #9816

(cherry picked from commit 7b6e666b74089609466f6c383891b6b8bf8d0406)
DeltaFile
+21-23src/opnsense/mvc/tests/app/models/OPNsense/Base/FieldTypes/InterfaceFieldTest.php
+13-20src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/InterfaceField.php
+12-19src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/CertificateField.php
+1-1src/opnsense/mvc/tests/app/models/OPNsense/Base/FieldTypes/CertificateFieldTest.php
+47-634 files

OPNSense/core e54010fsrc/opnsense/mvc/app/models/OPNsense/Base/FieldTypes ProtocolField.php

by Franco Fichtner on ⎇
firewall: make MVC protocol selection much more like old GUI

This means list most frequently used protocols first, but only if
found in the list that has been built (including additional option
like TCP/UDP from model).

(cherry picked from commit 29dab2fa77c748d12e623333e98ddd299c2ded96)
DeltaFile
+12-0src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/ProtocolField.php
+12-01 files

OPNSense/core 02fd65dsrc/opnsense/mvc/app/models/OPNsense/Base/FieldTypes ProtocolField.php

by Ad Schellevis via Franco Fichtner on ⎇
mvc: ProtocolField: use shared implementation of $internalStaticOptionList

PR: https://github.com/opnsense/core/issues/9816

(cherry picked from commit 568146dae51acbc5f9e5ace3a8da2371235b1e42)
DeltaFile
+41-45src/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/ProtocolField.php
+41-451 files

OPNSense/core d3fdcfdsrc/opnsense/mvc/app/controllers/OPNsense/Firewall/Api FilterController.php

by Franco Fichtner on ⎇
firewall: merge read of groups and interfaces

They are stored in the same location and used by the interface
field type as such.  This prevents showing unrendered groups
and also displays the consistent label between the rule and
rules selectors.

(cherry picked from commit fce88501cc9dcd4d225083cd14be8532ee346111)
(cherry picked from commit 16bc9ee719da5443a23f33ab925071a9b18e30a8)
DeltaFile
+6-14src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+6-141 files

OPNSense/core bb72a40src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api FilterController.php

by Monviech via Franco Fichtner on ⎇
Firewall: Rules [new]: Fix automatically generated rules not showing label name, minor regression in 963b9a8c (#9911)

(cherry picked from commit ff2fa254eaa9aa57ab8a004a86344cdd78638228)
DeltaFile
+3-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php
+3-11 files

OPNSense/core d6c5979src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api FilterBaseController.php

by Franco Fichtner on ⎇
mvc: style

(cherry picked from commit b07af5376e14213c5976d961af2a8b374fa6a593)
DeltaFile
+2-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterBaseController.php
+2-11 files

OPNSense/core 5233567src/opnsense/mvc/app/controllers/OPNsense/Base UserException.php

by Ad Schellevis via Franco Fichtner on ⎇
php: "Implicitly marking parameter XXX as nullable is deprecated" in php 8.4 and up.

(cherry picked from commit 029c840f5e55023d72a3e8d48bc219b2d5b1d06b)
(cherry picked from commit 06a2025f3cbd5df7bb9f5a57571fb856d921307e)
DeltaFile
+21-23src/opnsense/mvc/app/controllers/OPNsense/Base/UserException.php
+21-231 files

OPNSense/core 06a2025src/opnsense/mvc/app/controllers/OPNsense/Base UserException.php

by Franco Fichtner on ⎇
mvc: UserException: style updates while we have changes here
DeltaFile
+21-23src/opnsense/mvc/app/controllers/OPNsense/Base/UserException.php
+21-231 files

OPNSense/core 2faa80asrc/opnsense/mvc/app/controllers/OPNsense/Firewall/Api AliasUtilController.php, src/opnsense/mvc/app/controllers/OPNsense/Interfaces/Api OverviewController.php

by Oliver Jueguen via Franco Fichtner on ⎇
mvc: fix CSRF vulnerability in multiple API endpoints by enforcing POST-only requests

Several API actions executed state-changing backend operations while accepting
GET requests. Since CSRF validation in ApiControllerBase only applies to
POST/PUT/DELETE methods, these endpoints could be triggered via authenticated
CSRF requests.

This patch enforces POST-only access for the following actions:

- AliasUtilController::updateBogonsAction
- OverviewController::reloadInterfaceAction
- ServiceController::dnsblAction
- ServiceController::reconfigureGeneralAction

(cherry picked from commit ac7a8024c2804b4fa213c38e30e4d97bc7f955cc)
(cherry picked from commit 0903e242adade4a2d7521fb93d0805da5988cfc0)
DeltaFile
+11-1src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/ServiceController.php
+5-1src/opnsense/mvc/app/controllers/OPNsense/Interfaces/Api/OverviewController.php
+4-0src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/AliasUtilController.php
+20-23 files

OPNSense/core 0903e24src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api ServiceController.php

by Franco Fichtner on ⎇
unbound: minor style adjustment on previous
DeltaFile
+5-3src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/ServiceController.php
+5-31 files

OPNSense/core ac7a802src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api AliasUtilController.php, src/opnsense/mvc/app/controllers/OPNsense/Interfaces/Api OverviewController.php

by Oliver Jueguen via GitHub on ⎇
Merge commit from fork

* Fix CSRF vulnerability in multiple API endpoints by enforcing POST-only requests

Several API actions executed state-changing backend operations while accepting
GET requests. Since CSRF validation in ApiControllerBase only applies to
POST/PUT/DELETE methods, these endpoints could be triggered via authenticated
CSRF requests.

This patch enforces POST-only access for the following actions:

- AliasUtilController::updateBogonsAction
- OverviewController::reloadInterfaceAction
- ServiceController::dnsblAction
- ServiceController::reconfigureGeneralAction

Non-POST requests now return HTTP 405 with Allow: POST.

* simplify POST enforcement to match project conventions

    [9 lines not shown]
DeltaFile
+8-0src/opnsense/mvc/app/controllers/OPNsense/Unbound/Api/ServiceController.php
+5-1src/opnsense/mvc/app/controllers/OPNsense/Interfaces/Api/OverviewController.php
+4-0src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/AliasUtilController.php
+17-13 files

OPNSense/plugins c52fcbdsecurity/q-feeds-connector pkg-descr Makefile, security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api SettingsController.php

by Franco Fichtner on ⎇
security/q-feeds-connector: sync with master
DeltaFile
+3-0security/q-feeds-connector/src/opnsense/mvc/app/controllers/OPNsense/QFeeds/Api/SettingsController.php
+1-0security/q-feeds-connector/pkg-descr
+1-0security/q-feeds-connector/Makefile
+5-03 files