]>
Commit | Line | Data |
---|---|---|
59dbe8d4 MT |
1 | ------------------------------------------------------------------------ |
2 | r7439 | rony | 2014-03-30 17:52:10 -0500 (Sun, 30 Mar 2014) | 5 lines | |
3 | ||
4 | bug#0002405: SQL injection in graph_xport.php | |
5 | ||
6 | - Fixed form input validation problems | |
7 | - Fixed rrd export and graph shell escape issues | |
8 | ||
9 | ------------------------------------------------------------------------ | |
10 | Index: branches/0.8.8/graph_xport.php | |
11 | =================================================================== | |
12 | --- branches/0.8.8/graph_xport.php (revision 7438) | |
13 | +++ branches/0.8.8/graph_xport.php (revision 7439) | |
14 | @@ -47,43 +47,48 @@ | |
15 | ||
16 | $graph_data_array = array(); | |
17 | ||
18 | +/* ================= input validation ================= */ | |
19 | +input_validate_input_number(get_request_var("local_graph_id")); | |
20 | +input_validate_input_number(get_request_var("rra_id")); | |
21 | +/* ==================================================== */ | |
22 | + | |
23 | /* override: graph start time (unix time) */ | |
24 | -if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) { | |
25 | - $graph_data_array["graph_start"] = $_GET["graph_start"]; | |
26 | +if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) { | |
27 | + $graph_data_array["graph_start"] = get_request_var("graph_start"); | |
28 | } | |
29 | ||
30 | /* override: graph end time (unix time) */ | |
31 | -if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) { | |
32 | - $graph_data_array["graph_end"] = $_GET["graph_end"]; | |
33 | +if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) { | |
34 | + $graph_data_array["graph_end"] = get_request_var("graph_end"); | |
35 | } | |
36 | ||
37 | /* override: graph height (in pixels) */ | |
38 | -if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) { | |
39 | - $graph_data_array["graph_height"] = $_GET["graph_height"]; | |
40 | +if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) { | |
41 | + $graph_data_array["graph_height"] = get_request_var("graph_height"); | |
42 | } | |
43 | ||
44 | /* override: graph width (in pixels) */ | |
45 | -if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) { | |
46 | - $graph_data_array["graph_width"] = $_GET["graph_width"]; | |
47 | +if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) { | |
48 | + $graph_data_array["graph_width"] = get_request_var("graph_width"); | |
49 | } | |
50 | ||
51 | /* override: skip drawing the legend? */ | |
52 | if (!empty($_GET["graph_nolegend"])) { | |
53 | - $graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"]; | |
54 | + $graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend"); | |
55 | } | |
56 | ||
57 | /* print RRDTool graph source? */ | |
58 | if (!empty($_GET["show_source"])) { | |
59 | - $graph_data_array["print_source"] = $_GET["show_source"]; | |
60 | + $graph_data_array["print_source"] = get_request_var("show_source"); | |
61 | } | |
62 | ||
63 | -$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'"); | |
64 | +$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'"); | |
65 | ||
66 | /* for bandwidth, NThPercentile */ | |
67 | $xport_meta = array(); | |
68 | ||
69 | /* Get graph export */ | |
70 | -$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta); | |
71 | +$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta); | |
72 | ||
73 | /* Make graph title the suggested file name */ | |
74 | if (is_array($xport_array["meta"])) { | |
75 | Index: branches/0.8.8/lib/rrd.php | |
76 | =================================================================== | |
77 | --- branches/0.8.8/lib/rrd.php (revision 7438) | |
78 | +++ branches/0.8.8/lib/rrd.php (revision 7439) | |
79 | @@ -865,13 +865,13 @@ | |
80 | /* basic graph options */ | |
81 | $graph_opts .= | |
82 | "--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL . | |
83 | - "--start=$graph_start" . RRD_NL . | |
84 | - "--end=$graph_end" . RRD_NL . | |
85 | + "--start=" . cacti_escapeshellarg($graph_start) . RRD_NL . | |
86 | + "--end=" . cacti_escapeshellarg($graph_end) . RRD_NL . | |
87 | "--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL . | |
88 | "$rigid" . | |
89 | - "--base=" . $graph["base_value"] . RRD_NL . | |
90 | - "--height=$graph_height" . RRD_NL . | |
91 | - "--width=$graph_width" . RRD_NL . | |
92 | + "--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL . | |
93 | + "--height=" . cacti_escapeshellarg($graph_height) . RRD_NL . | |
94 | + "--width=" . cacti_escapeshellarg($graph_width) . RRD_NL . | |
95 | "$scale" . | |
96 | "$unit_value" . | |
97 | "$unit_exponent_value" . | |
98 | @@ -1606,8 +1606,8 @@ | |
99 | ||
100 | /* basic export options */ | |
101 | $xport_opts = | |
102 | - "--start=$xport_start" . RRD_NL . | |
103 | - "--end=$xport_end" . RRD_NL . | |
104 | + "--start=" . cacti_escapeshellarg($xport_start) . RRD_NL . | |
105 | + "--end=" . cacti_escapeshellarg($xport_end) . RRD_NL . | |
106 | "--maxrows=10000" . RRD_NL; | |
107 | ||
108 | $xport_defs = ""; | |
109 | @@ -1997,7 +1997,7 @@ | |
110 | $stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0; | |
111 | $j++; | |
112 | ||
113 | - $txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ; | |
114 | + $txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ; | |
115 | }else{ | |
116 | $need_rrd_nl = FALSE; | |
117 | } |