Main container

Archive for the ‘Development’ Category

XSS, GET and POST

There is recent work converting pages in the pfSense software webGUI to use POST rather than GET. This work is scheduled to appear in pfSense software version 2.4.

While this work was spurred by the recent security issue that caused the pending release of pfSense software version 2.3.3, it isn’t specifically about closing XSS bugs. There are situations when you should use POST rather than GET, but just avoiding XSS isn’t one of them.  Even if what we’re talking about is XSRF, requiring POST doesn’t really protect the application. REST advocates would actually say that you shouldn’t just use GET in a web application, but rather that you should use POST, PUT and DELETE for the corresponding “CRUD” operations, operations that change the state of the application.

To specifically avoid XSS, a web app needs to escape and/or scrub content from users as appropriate.  To avoid XSRF, a web app has to require secret tokens on any side-effect causing operation that is potentially dangerous.  Note that is is a good idea to avoid using GET requests when passing secret tokens as this could result in them leaking in referrers.  Still, switching to post does help avoid XSS attacks.  As Wikipedia explains:

In HTTP GET the CSRF exploitation is trivial. For example, a simple hyperlink containing manipulated parameters and automatically loaded by a IMG tag. By the HTTP specification however, GET should be used as a safe method, that is, not significantly changing user’s state in the application. Applications using GET for such operations should be rewritten to use HTTP POST and/or use anti-CSRF protection.

Simplifying the above:

  • Use GET for read-only requests whenever possible. (pretty much whenever the query can fit in a URL)
  • Use POST (or PUT or DELETE, if feasible and appropriate) for write requests.

The process of conversion from using GET to POST has previously required a comprehensive re-write of the page, converting anchors into buttons and adding Javascript to handle the click event.  Jim Pingle recently found some code where someone had attempted to automate this in Javascript. While it was not suitable for what we needed, it sparked an idea, and that idea has now been implemented for pfSense 2.4.

The file pfSenseHelpers.js now contains code that intercepts clicks on anchor tags with the attribute “usepost” set. The target URL and the GET arguments are extracted from the event href attribute, and these are used to compose a new, temporary form with the previous arguments inserted as POST parameters.

Converting a page from GET to POST now only requires four steps:

  1. Replace $_GET with $_POST where appropriate
  2. Add the “usepost” attribute to anchors that have the href attributes set
  3. Fix any “if ($_POST)” instances (or similar)
  4. Test

Not all GET calls need to be replaced, in fact where the action involved is not harmful, such as “edit”, or “view” it is better to leave the GET or REQUEST in place. That way the action can be bookmarked and using the browser “Back” button is less frustrating.

Here is a simple example of a conversion:

Before:

<?php
  if ($_GET['act'] == "delete") {
    deleteGateway($_GET['id']);
  }

  if ($_POST) {
    if ($_POST['apply'] {
      write_nvram();
    } else {
      if (!save_config($id)) {
        $input_errors[] = "Something broke";
      }
    }
  }
?>

<a type="button" class="btn btn-danger" href="system_something.php?act=delete&id=<?=htmlspecialchars($id)?>" >
  <i class="fa fa-trash></i>
  <?=gettext("Delete")?>
</a>

After:

<?php
  if ($_POST['act'] == "delete") {
    deleteGateway($_POST['id']);
  }

  if ($_POST['apply']) {
    write_nvram();
  }

  if ($_POST['save']) { // The generic if ($_POST) is now if ($_POST['save'] to detect when the form is being saved
    if (!save_config($id)) {
      $input_errors[] = "Something broke";
    }
  }
?>

<!-- The "usepost" attribute is added to the anchor -->
  <a type="button" class="btn btn-danger" href="system_something.php?act=delete&id=<?=htmlspecialchars($id)?>" usepost>
  <i class="fa fa-trash></i>
  <?=gettext("Delete")?>
</a>

Most of the main body of pfSense software version 2.4 has been converted to use this scheme.  Now we need the help of the pfSense Community, to test the whole of the pfSense 2.4 web GUI, and file bugs on https://redmine.pfsense.org if inconsistent behavior is observed. Additionally, authors and maintainers of pfSense packages should convert their packages when possible.

We thank you in advance for your assistance and continued participation in the community around pfSense software.

pfSense® software translations with Zanata

Zanata is a web-based translation platform for managing localization projects. A lot of effort is expended in making sure that pfSense® software fully supports localization, but until today it has not been easy for people to contribute the actual translations. Now, however, the pfSense project has been added to the online, open-source Zanata platform and translating could hardly be easier!

The steps required to contribute your language skills to pfSense are simply:
  • Go to www.zanata.org
  • Click “Go to the App”
  • Click “Sign Up”
  • Create a user account
  • Send an email to sbeaver@netgate.com or to renato@netgate.com. Provide your Zanata username and the language you wish to contribute.

This will allow us to add you to the project as quickly as possible.

Zanata displays a table with the English language string on the left, and a space to enter the translated version on the right. It also provides auto-translation where it can, learning from previous translations as you work, as well as high quality suggestions that help to automate the translation. There is syntax checking (which understands printf, HTML etc,) a glossary and numerous collaboration tools.

We think that people will really enjoy working on the Zanata platform and can’t wait to start adding the results of that work to pfSense.
pfSense__2_4__to_Portuguese__Brazil__-_Zanata_Web_Translation

Portuguese (Brazil) translation under way

More details of the Zanata project can be found here: http://zanata.org/about/

I’ve got 99 problems, but a switch ain’t one.

If you’re havin’ loop problems I feel bad for you son, I got 99 problems but a switch ain’t one.

The SoC used for the SG-1000 (also known as “uFW”) includes an on-die 3 port gigabit Ethernet switch.   By leveraging VLANs, it’s possible to build a ‘router on a stick‘ on one board.  In order to make this switch as functional as possible, we decided to leverage the FreeBSD etherswitch(4) framework.  Support for the on-die switch on SG-1000 was directly upstreamed to FreeBSD in revision 309113.

Support for this framework then needed to be added to pfSense.   First support was added to the PHP module that provides the glue layer between FreeBSD and PHP via a series of commits. Here are two of them: 1 2. Once this was done, we could start designing the components of the web GUI. Switch_system.php shows which switches are attached to the system.  It has no controls.

pfSense_localdomain_-_Interfaces__Switch__System

Switch_ports.php show the ports available on the selected switch. Since the SG-1000 only has one switch, the selector that allows you to choose which switch you are looking at is hidden.

pfSense_localdomain_-_Interfaces__Switch__Ports

Multiple switches attached to one firewall causes a selector to appear so you can choose which one to work on.  Obviously there is only one switch on the SG-1000, but I’ve faked things here (“cd /dev: ln -s etherswitch0 etherswitch1”) to show the selector, and in order to show that we’re “thinking forward”.

pfSense_localdomain_-_Interfaces__Switch__VLANs (1)

The VLAN page allows you to view/create/edit a VLAN.

pfSense_localdomain_-_Interfaces__Switch__VLANs

Switch_vlans_edit.php allows you to create or edit a VLAN. Clicking on any port in the “Available ports” column adds it to, or deletes it from the “members” list.  While we accommodate up to 128 ports, this is a SG-1000, so there are only 3 ports to choose from.  There is some pretty fancy jQuery in this page.

pfSense_localdomain_-_Interfaces__Switch__VLANs__Edit

The SG-1000 is not the only product we have coming that has built-in switches. Here is a sneak peek at another.

IMG_8956 3

The systems you see in this photo are a Broadwell-DE with either 6 x 10G on SFP+ on top (bcc-1) or 16x1G on RJ45 (with 2 10Gbps uplinks), plus 4 x 10G on SFP+ on bottom (bcc-0).  Both systems additionally have 2 1Gbps Ethernet ports on SFP, as well as redundant power, 2 x M.2, miniPCIe 4 x SATA3 as 2.5″ drives, and a PCIe 3.0 x16 slot for expansion.  Both of these have QuickAssist cards installed, enabling high-speed encryption and compression, but bypass NICs (for IDS/IPS) will likely prove popular as well.

Both also contain a “uBMC“, which is remarkably similar to the SG-1000, and runs pfSense with support for our coming (but unannounced) remote management product.  In fact, the germination of the SG-1000 occurred because of uBMC.  We noticed that a lot of people (including us) use pfSense to control access to the IPMI/BMC ports on their servers in colocation, so we thought, “Why not put pfSense in the BMC?”

Of course, since pfSense software is open source, this means that you’re no longer beholden to your IPMI vendor for security patches and updates.  More details on those systems, uBMC and the remote management product will be provided in future posts.

 

2.4 pre-alpha snapshots now available.

pfSense® software version 2.4 pre-alpha snapshots are now available.

pfSense 2.4 will use FreeBSD 11 as a base, and 11.0-RELEASE has not yet occurred.  There will be additional work to use 11.0-RELEASE as a base.

More work at “reduction of technical debt” is occurring in 2.4.  We have decided to not carry forward the kernel patches for Captive Portal.  Instead, it is being re-written to use stock IPFW.  That work is only about 75% complete.  MPD4 needs to be converted to MPD5.  Simultaneously to these, work is occurring to convert several subsystems (e.g. radius) to use the PEAR equivalents:

Read the rest of this entry »

pfSense around the world, better IPsec, tryforward and netmap-fwd

Last week Renato Botelho do Couto, a pfSense developer and FreeBSD ports committer, presented a talk on pfSense at Lantinoware.  Renato reported that the room for his talk was full, and that many people wanted to talk after.  It’s great to see this type of response to pfSense in the world.

During the past month, I’ve attended vBSDcon 2015 in Virginia, USA, EuroBSDcon 2015 in Stockholm, Sweden, and BSDCon Brazil 2015, in Fortaleza, Brazil.   All along that way, (over 27,000 miles or 43,400 km), I’ve enjoyed having Groff, the BSD Goat as a traveling companion, and meeting many great BSD and pfSense people in each location.

At vBSDcon, EuroBSDcon and BSDCon Brazil, either George Neville-Neil or I spoke on, “Measure Twice, Code Once”.  This is our continuing series reporting on a continual, longitudinal study of networking performance in FreeBSD and pfSense.  The most recent developments here are the big improvement in IPsec performance with AES-NI support (1270 Mbps throughput, single stream, for AES-GCM with a 128-bit key on a pair of ~3GHz E5 Xeon CPUs), and the introduction of ‘tryforward’ to FreeBSD.  The IPSec changes are already in -CURRENT, and the MFC to -STABLE has been accomplished in our FreeBSD tree on github.  With some luck, these will also be present in FreeBSD 10.3-RELEASE, when it occurs.

Read the rest of this entry »

2.3 alpha snapshots available

2.3 has reached alpha.

With the Bootstrap changes, the entire front end has been re-written, so there are many things that need testing. We’ve tested this in-house, but we have zero doubt that more issues will be found as infrequently-used features are tried.

Therefore we advise: Do not use this on a production system yet.

If you have the time and interest, we encourage you to try this on a scratch system or VM and provide feedback for any issues.

New features and changes are listed here.

Full change list:
source and build tools
ports
FreeBSD source

Outstanding bugs/features/todo items:
Bootstrap-specific
Everything else

More info is available on the forum.

 

pfsense-tools is gone again, this time forever

As some have noticed, we’ve changed the build system for pfSense such that the very need for the pfsense-tools repo has been removed.

While the pfsense-tools repo still exists, it’s not used for pfSense version 2.3 and later.

The former structure, where a set of discrete patches were kept against a given version of the FreeBSD source and ports trees, has now been replaced by a system where those patches are kept on a vendor branch of these trees.  This improves both the process of bringing new versions of FreeBSD and ports to pfSense and the process of upstreaming changes we make to these.  By upstreaming, we make both FreeBSD and pfSense better.

These changes have been a long-time coming.  There has been sustained effort toward this type of setup since September 2012.

There are still many parts of the build scripts that need to change, and we will continue to improve these, along with the rest of pfSense software.  As one example of where we’re headed, after base-as-pkg is done in FreeBSD 11, with only a few more changes on our tree, we should be able to build pfSense using only the build tools from FreeBSD.

pfSense webGUI update 2

We are now quite close with the initial push. Only 13 of over 200 pages remain to be converted to Bootstrap.  We are still on-track for releasing this work in pfSense software version 2.3, but a lot of work remains.  Those 13 pages are some of the more difficult pages to convert, as these involve the ‘wizards’, and same are somewhat Rube Goldburg in nature.  We currently estimate another 2-3 weeks to effect the conversion of these pages, followed by internal testing to ensure we haven’t broken anything major.  To this end, internal snapshots started being produced on 2.3 today, we’re testing this, the work to move from PBI to pkg(ng) and FreeBSD 10.2 as a base.  You won’t find these snapshots anywhere yet, but soon.

In the meantime, I’ve composed an album of screenshots of the new GUI.    Remember that this isn’t the final look.  When you see text fields that extend all the way to the bounding box of the viewport, it only means that the default styling has been used.  When pfSense software version 2.3 is released, there will be a single place to ‘style’ the GUI (pfsense.css).  This should make skinning the GUI much easier, for those of you who are into that.

Read the rest of this entry »

filesystem corruption: closed

Today our upstream, FreeBSD accepted our patch to fix the corruption / truncation issue we identified.  Some additional details are here and here.   In particular, the details on the second link show how we went about recreating the issue, and then testing it to ensure that the bug is really fixed.

It’s taken a few months to first reproduce, then fix the issue.  After we had identified the cause, I wrote to  Kirk McKusick, who knows UFS better than anyone.  Kirk explained the situation thus:

What is happening is that the files in question are being truncated then rewritten with new contents. SU ensures that after the truncation they will either show the correct new result or be zero length. Absent SU they can show up claiming the unwritten blocks which is why you see random data. Marking the filesystems sync should fix the problem as you will not have the (up to) two minute gap between the write and the data being flushed to disk.

Read the rest of this entry »

Bootstrapped webGUI update

As I wrote back in February, one of the big changes coming to pfSense is a conversion of the webGUI to Bootstrap.  Sjon Hortensius has recently accepted some 51 pull requests on his ‘bootstrap’ branch of the pfsense repo.  As you can see from that page, a large number of these come from Steve Beaver, a Netgate employee.

Converting the pfSense GUI to bootstrap is an interesting process partly because there are so many options. You can simply change the class of the existing display elements to make the page look “Twittery”, you can employ an entirely new PHP object-oriented framework to largely eliminate HTML all together, and you can replace existing JavaScript to more modern DOM based JS. Like an oil painting, it can occasionally be difficult to know when to stop.

Read the rest of this entry »