From dec48352f902db2e8440201bb7d6e556c122d976 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Tue, 17 Feb 2026 08:00:51 +0100
Subject: [PATCH] www: config read safety using feddc1f (#9787)

Increase coverage of the new feature in our legacy www files.
---
 src/www/firewall_nat_out.php              |  7 ++--
 src/www/firewall_nat_out_edit.php         | 41 +++++++++++------------
 src/www/firewall_rules.php                | 15 +++------
 src/www/firewall_schedule_edit.php        | 36 ++++++--------------
 src/www/interfaces.php                    | 10 +++---
 src/www/interfaces_assign.php             | 38 +++++++--------------
 src/www/interfaces_ppps_edit.php          | 16 +++------
 src/www/system_advanced_admin.php         |  2 +-
 src/www/system_authservers.php            |  4 +--
 src/www/system_usermanager_passwordmg.php |  2 +-
 10 files changed, 64 insertions(+), 107 deletions(-)

diff --git a/src/www/firewall_nat_out.php b/src/www/firewall_nat_out.php
index b5b5cea21b..69c97e0fbc 100644
--- a/src/www/firewall_nat_out.php
+++ b/src/www/firewall_nat_out.php
@@ -107,10 +107,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
 
 $mode = $config['nat']['outbound']['mode'];
 
-$interface_names= array();
-// add this hosts ips
-foreach ($config['interfaces'] as $intf => $intfdata) {
-    if (isset($intfdata['ipaddr']) && $intfdata['ipaddr'] != 'dhcp') {
+$interface_names = [];
+foreach (config_read_array('interfaces', false) as $intf => $intfdata) {
+    if (is_ipaddrv4($intfdata['ipaddr'] ?? 'none')) {
         $interface_names[$intfdata['ipaddr']] = sprintf(gettext('%s address'), !empty($intfdata['descr']) ? $intfdata['descr'] : $intf );
     }
 }
diff --git a/src/www/firewall_nat_out_edit.php b/src/www/firewall_nat_out_edit.php
index 4f47bf881c..d73cdd6241 100644
--- a/src/www/firewall_nat_out_edit.php
+++ b/src/www/firewall_nat_out_edit.php
@@ -34,36 +34,33 @@ require_once("filter.inc");
 /**
  * return option array for valid translation networks
  */
-function formTranslateAddresses() {
-    global $config;
-    $retval = array();
+function formTranslateAddresses()
+{
+    $retval = [];
 
-    // add this hosts ips
-    foreach (legacy_config_get_interfaces(array('virtual' => false, "enable" => true)) as $intf => $intfdata) {
+    foreach (legacy_config_get_interfaces(['virtual' => false, 'enable' => true]) as $intf => $intfdata) {
         $retval[$intf."ip"] = (!empty($intfdata['descr']) ? $intfdata['descr'] : $intf ) . " " . gettext("address");
     }
 
-    // add VIPs's
-    if (isset($config['virtualip']['vip'])) {
-        foreach ($config['virtualip']['vip'] as $sn) {
-            if (empty($sn['noexpand'])) {
-                if ($sn['mode'] == "proxyarp") {
-                    $start = ip2long32(gen_subnet($sn['subnet'], $sn['subnet_bits']));
-                    $end = ip2long32(gen_subnet_max($sn['subnet'], $sn['subnet_bits']));
-                    $len = $end - $start;
-                    $retval[$sn['subnet'].'/'.$sn['subnet_bits']] = htmlspecialchars("Subnet: {$sn['subnet']}/{$sn['subnet_bits']} ({$sn['descr']})");
-                    for ($i = 0; $i <= $len; $i++) {
-                        $snip = long2ip32($start+$i);
-                        $retval[$snip] = htmlspecialchars("{$snip} ({$sn['descr']})");
-                    }
-                } else {
-                    $retval[$sn['subnet']] = htmlspecialchars("{$sn['subnet']} ({$sn['descr']})");
-                }
+    foreach (config_read_array('virtualip', 'vip', false) as $sn) {
+        if (!empty($sn['noexpand'])) {
+            continue;
+        }
+
+        if ($sn['mode'] == "proxyarp") {
+            $start = ip2long32(gen_subnet($sn['subnet'], $sn['subnet_bits']));
+            $end = ip2long32(gen_subnet_max($sn['subnet'], $sn['subnet_bits']));
+            $len = $end - $start;
+            $retval[$sn['subnet'].'/'.$sn['subnet_bits']] = htmlspecialchars("Subnet: {$sn['subnet']}/{$sn['subnet_bits']} ({$sn['descr']})");
+            for ($i = 0; $i <= $len; $i++) {
+                $snip = long2ip32($start+$i);
+                $retval[$snip] = htmlspecialchars("{$snip} ({$sn['descr']})");
             }
+        } else {
+            $retval[$sn['subnet']] = htmlspecialchars("{$sn['subnet']} ({$sn['descr']})");
         }
     }
 
-    // add Aliases
     foreach (legacy_list_aliases("network") as $alias) {
         if ($alias['type'] == "host") {
             $retval[$alias['name']] = $alias['name'];
diff --git a/src/www/firewall_rules.php b/src/www/firewall_rules.php
index d8d1692073..8106504794 100644
--- a/src/www/firewall_rules.php
+++ b/src/www/firewall_rules.php
@@ -941,16 +941,11 @@ $( document ).ready(function() {
 <?php
                       if (!empty($filterent['sched'])):?>
 <?php
-                        $schedule_descr = "";
-                        if (isset($config['schedules']['schedule']))
-                        {
-                            foreach ($config['schedules']['schedule'] as $schedule)
-                            {
-                                if ($schedule['name'] == $filterent['sched'])
-                                {
-                                    $schedule_descr = (isset($schedule['descr'])) ? $schedule['descr'] : "";
-                                    break;
-                                }
+                        $schedule_descr = '';
+                        foreach (config_read_array('schedules', 'schedule', false) as $schedule) {
+                            if ($schedule['name'] == $filterent['sched']) {
+                                $schedule_descr = (isset($schedule['descr'])) ? $schedule['descr'] : "";
+                                break;
                             }
                         }
 ?>
diff --git a/src/www/firewall_schedule_edit.php b/src/www/firewall_schedule_edit.php
index 75a367b3c6..138f4fab36 100644
--- a/src/www/firewall_schedule_edit.php
+++ b/src/www/firewall_schedule_edit.php
@@ -32,34 +32,20 @@
 require_once("guiconfig.inc");
 require_once("filter.inc");
 
-/****f* legacy/is_schedule_inuse
- * NAME
- *   checks to see if a schedule is currently in use by a rule
- * INPUTS
- *
- * RESULT
- *   true or false
- * NOTES
- *
- ******/
 function is_schedule_inuse($schedule)
 {
-        global $config;
-
-        if ($schedule == '') {
-                return false;
-        }
-
-        /* loop through firewall rules looking for schedule in use */
-        if (isset($config['filter']['rule'])) {
-                foreach ($config['filter']['rule'] as $rule) {
-                        if ($rule['sched'] == $schedule) {
-                                return true;
-                        }
-                }
-        }
-
+    if ($schedule == '') {
         return false;
+    }
+
+    /* loop through firewall rules looking for schedule in use */
+    foreach (config_read_array('filter', 'rule', false) as $rule) {
+        if ($rule['sched'] == $schedule) {
+            return true;
+        }
+    }
+
+    return false;
 }
 
 function schedule_sort()
diff --git a/src/www/interfaces.php b/src/www/interfaces.php
index 9f7ddcda6a..4bd4e3027b 100644
--- a/src/www/interfaces.php
+++ b/src/www/interfaces.php
@@ -904,7 +904,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                     $input_errors[] = gettext("MTU of a VLAN should not be bigger than parent interface.");
                 }
             } else {
-                foreach ($config['interfaces'] as $idx => $ifdata) {
+                foreach (config_read_array('interfaces', false) as $idx => $ifdata) {
                     if ($idx == $if || !strstr($ifdata['if'], 'vlan') || !strstr($ifdata['if'], 'qinq')) {
                         continue;
                     }
@@ -943,11 +943,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             if ($a_interfaces[$if]['wireless']['mode'] != $pconfig['mode']) {
                 $wlanbaseif = interface_get_wireless_base($a_interfaces[$if]['if']);
                 $clone_count = does_interface_exist("{$wlanbaseif}_wlan0") ? 1 : 0;
-                if (!empty($config['wireless']['clone'])) {
-                    foreach ($config['wireless']['clone'] as $clone) {
-                        if ($clone['if'] == $wlanbaseif) {
-                            $clone_count++;
-                        }
+                foreach (config_read_array('wireless', 'clone', false) as $clone) {
+                    if ($clone['if'] == $wlanbaseif) {
+                        $clone_count++;
                     }
                 }
                 if ($clone_count > 1) {
diff --git a/src/www/interfaces_assign.php b/src/www/interfaces_assign.php
index 7c3fe09a1d..c9a575c65a 100644
--- a/src/www/interfaces_assign.php
+++ b/src/www/interfaces_assign.php
@@ -35,15 +35,11 @@ require_once("interfaces.inc");
 
 function link_interface_to_group($int)
 {
-    global $config;
-
     $result = [];
 
-    if (isset($config['ifgroups']['ifgroupentry'])) {
-        foreach ($config['ifgroups']['ifgroupentry'] as $group) {
-            if (in_array($int, preg_split('/[ |,]+/', $group['members']))) {
-                $result[$group['ifname']] = $int;
-            }
+    foreach (config_read_array('ifgroups', 'ifgroupentry', false) as $group) {
+        if (in_array($int, preg_split('/[ |,]+/', $group['members']))) {
+            $result[$group['ifname']] = $int;
         }
     }
 
@@ -52,8 +48,6 @@ function link_interface_to_group($int)
 
 function list_devices($devices)
 {
-    global $config;
-
     $interfaces = [];
 
     /* add physical network interfaces */
@@ -169,20 +163,16 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
                 plugins_configure('dhcp', false, array('inet6'));
             }
 
-            if (isset($config['filter']['rule'])) {
-                foreach ($config['filter']['rule'] as $x => $rule) {
-                    /* XXX this doesn't match floating rules with multiple values */
-                    if (isset($rule['interface']) && $rule['interface'] == $id) {
-                        unset($config['filter']['rule'][$x]);
-                    }
+            foreach (config_read_array('filter', 'rule') as $x => $rule) {
+                /* XXX this doesn't match floating rules with multiple values */
+                if (isset($rule['interface']) && $rule['interface'] == $id) {
+                    unset($config['filter']['rule'][$x]);
                 }
             }
 
-            if (isset($config['nat']['rule'])) {
-                foreach ($config['nat']['rule'] as $x => $rule) {
-                    if ($rule['interface'] == $id) {
-                        unset($config['nat']['rule'][$x]['interface']);
-                    }
+            foreach (config_read_array('nat', 'rule', false) as $x => $rule) {
+                if ($rule['interface'] == $id) {
+                    unset($config['nat']['rule'][$x]['interface']);
                 }
             }
 
@@ -228,11 +218,9 @@ if ($_SERVER['REQUEST_METHOD'] === 'POST') {
             }
         }
 
-        if (isset($config['vlans']['vlan'])) {
-            foreach ($config['vlans']['vlan'] as $vlan) {
-                if (!does_interface_exist($vlan['if'])) {
-                    $input_errors[] = sprintf(gettext("VLAN parent interface %s does not exist."), $vlan['if']);
-                }
+        foreach (config_read_array('vlans', 'vlan', false) as $vlan) {
+            if (!does_interface_exist($vlan['if'])) {
+                $input_errors[] = sprintf(gettext("VLAN parent interface %s does not exist."), $vlan['if']);
             }
         }
 
diff --git a/src/www/interfaces_ppps_edit.php b/src/www/interfaces_ppps_edit.php
index 2ce5af2a40..8aa1a424cf 100644
--- a/src/www/interfaces_ppps_edit.php
+++ b/src/www/interfaces_ppps_edit.php
@@ -33,13 +33,9 @@ require_once("interfaces.inc");
 
 function interfaces_ptpid_used($ptpid)
 {
-    global $config;
-
-    if (isset($config['ppps']['ppp'])) {
-        foreach ($config['ppps']['ppp'] as & $settings) {
-            if ($ptpid == $settings['ptpid']) {
-                return true;
-            }
+    foreach (config_read_array('ppps', 'ppp', false) as $settings) {
+        if ($ptpid == $settings['ptpid']) {
+            return true;
         }
     }
 
@@ -501,10 +497,8 @@ include("head.inc");
                           $iflist = get_configured_interface_with_descr();
                           $portlist = array_merge($portlist, $iflist);
 
-                          if (isset($config['vlans']['vlan'])) {
-                              foreach ($config['vlans']['vlan'] as $vlan) {
-                                  $portlist[$vlan['vlanif']] = $vlan;
-                              }
+                          foreach (config_read_array('vlans', 'vlan', false) as $vlan) {
+                              $portlist[$vlan['vlanif']] = $vlan;
                           }
                           foreach ($portlist as $intf_key => $intf_value):?>
                           <option data-type="interface" value="<?=$intf_key;?>" <?=in_array($intf_key, $pconfig['ports']) ? "selected=\"selected\"" : "";?> >
diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php
index 67c579bcf0..f8fbd570dd 100644
--- a/src/www/system_advanced_admin.php
+++ b/src/www/system_advanced_admin.php
@@ -135,7 +135,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     }
 
     if (!empty($pconfig['ssl-certref'])) {
-        foreach ($config['cert'] as $cert) {
+        foreach (config_read_array('cert', false) as $cert) {
             if ($cert['refid'] == $pconfig['ssl-certref']) {
                 if (cert_get_purpose($cert['crt'])['server'] == 'No') {
                     $input_errors[] = gettext(
diff --git a/src/www/system_authservers.php b/src/www/system_authservers.php
index 2794879f2d..e28d006715 100644
--- a/src/www/system_authservers.php
+++ b/src/www/system_authservers.php
@@ -333,8 +333,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
     } elseif (isset($pconfig['act']) && $pconfig['act'] == 'del' && isset($id)) {
         /* Remove server from main list. */
         $serverdeleted = $a_server[$id]['name'];
-        foreach ($config['system']['authserver'] as $k => $as) {
-            if ($config['system']['authserver'][$k]['name'] == $serverdeleted) {
+        foreach (config_read_array('system', 'authserver', false) as $k => $as) {
+            if ($as['name'] == $serverdeleted) {
                 unset($config['system']['authserver'][$k]);
             }
         }
diff --git a/src/www/system_usermanager_passwordmg.php b/src/www/system_usermanager_passwordmg.php
index ba0f3f2c38..f7c4ecad99 100644
--- a/src/www/system_usermanager_passwordmg.php
+++ b/src/www/system_usermanager_passwordmg.php
@@ -36,7 +36,7 @@ $username = $_SESSION['Username'];
 
 /* determine if user is not local to system */
 $userFound = false;
-foreach ($config['system']['user'] as $user) {
+foreach (config_read_array('system', 'user', false) as $user) {
     if ($user['name'] == $username) {
         $userFound = true;
         break;