[ipfire-2.x.git] / src / patches / cacti / cacti-0.8.8b-rra-comments.patch

------------------------------------------------------------------------
r7418 | gandalf | 2013-08-13 13:32:49 -0600 (Tue, 13 Aug 2013) | 1 line

fix COMMENT handling, even in case COMMENT is empty, with or without HR and with variable substitution
------------------------------------------------------------------------
Index: branches/0.8.8/lib/rrd.php
===================================================================
--- branches/0.8.8/lib/rrd.php	(revision 7417)
+++ branches/0.8.8/lib/rrd.php	(revision 7418)
@@ -1343,20 +1343,20 @@
 		$need_rrd_nl = TRUE;
 
 		if ($graph_item_types{$graph_item["graph_type_id"]} == "COMMENT") {
+			# perform variable substitution first (in case this will yield an empty results or brings command injection problems)
+			$comment_arg = rrd_substitute_host_query_data($graph_variables["text_format"][$graph_item_id], $graph, $graph_item);
+			# next, compute the argument of the COMMENT statement and perform injection counter measures
+			if (trim($comment_arg) == '') { # an empty COMMENT must be treated with care
+				$comment_arg = cacti_escapeshellarg(' ' . $hardreturn[$graph_item_id]);
+			} else {
+				$comment_arg = cacti_escapeshellarg($comment_arg . $hardreturn[$graph_item_id]);
+			}
+
+			# create rrdtool specific command line
 			if (read_config_option("rrdtool_version") != "rrd-1.0.x") {
-				$comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id])) . " ";
-				if (trim($comment_string) == 'COMMENT:"\n"') {
-					$txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
-				} else if (trim($comment_string) != "COMMENT:\"\"") {
-					$txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
-				}
+				$txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", $comment_arg) . " ";
 			}else {
-				$comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id]) . " ";
-				if (trim($comment_string) == 'COMMENT:"\n"') {
-					$txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
-				} else if (trim($comment_string) != "COMMENT:\"\"") {
-					$txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
-				}
+				$txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . $comment_arg . " ";
 			}
 		}elseif (($graph_item_types{$graph_item["graph_type_id"]} == "GPRINT") && (!isset($graph_data_array["graph_nolegend"]))) {
 			$graph_variables["text_format"][$graph_item_id] = str_replace(":", "\:", $graph_variables["text_format"][$graph_item_id]); /* escape colons */
Commit	Line	Data
59dbe8d4 MT	1	------------------------------------------------------------------------
	2	r7418 \| gandalf \| 2013-08-13 13:32:49 -0600 (Tue, 13 Aug 2013) \| 1 line
	3
	4	fix COMMENT handling, even in case COMMENT is empty, with or without HR and with variable substitution
	5	------------------------------------------------------------------------
	6	Index: branches/0.8.8/lib/rrd.php
	7	===================================================================
	8	--- branches/0.8.8/lib/rrd.php (revision 7417)
	9	+++ branches/0.8.8/lib/rrd.php (revision 7418)
	10	@@ -1343,20 +1343,20 @@
	11	$need_rrd_nl = TRUE;
	12
	13	if ($graph_item_types{$graph_item["graph_type_id"]} == "COMMENT") {
	14	+ # perform variable substitution first (in case this will yield an empty results or brings command injection problems)
	15	+ $comment_arg = rrd_substitute_host_query_data($graph_variables["text_format"][$graph_item_id], $graph, $graph_item);
	16	+ # next, compute the argument of the COMMENT statement and perform injection counter measures
	17	+ if (trim($comment_arg) == '') { # an empty COMMENT must be treated with care
	18	+ $comment_arg = cacti_escapeshellarg(' ' . $hardreturn[$graph_item_id]);
	19	+ } else {
	20	+ $comment_arg = cacti_escapeshellarg($comment_arg . $hardreturn[$graph_item_id]);
	21	+ }
	22	+
	23	+ # create rrdtool specific command line
	24	if (read_config_option("rrdtool_version") != "rrd-1.0.x") {
	25	- $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id])) . " ";
	26	- if (trim($comment_string) == 'COMMENT:"\n"') {
	27	- $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
	28	- } else if (trim($comment_string) != "COMMENT:\"\"") {
	29	- $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
	30	- }
	31	+ $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . str_replace(":", "\:", $comment_arg) . " ";
	32	}else {
	33	- $comment_string = $graph_item_types{$graph_item["graph_type_id"]} . ":" . cacti_escapeshellarg($graph_variables["text_format"][$graph_item_id] . $hardreturn[$graph_item_id]) . " ";
	34	- if (trim($comment_string) == 'COMMENT:"\n"') {
	35	- $txt_graph_items .= 'COMMENT:" \n"'; # rrdtool will skip a COMMENT that holds a NL only; so add a blank to make NL work
	36	- } else if (trim($comment_string) != "COMMENT:\"\"") {
	37	- $txt_graph_items .= rrd_substitute_host_query_data($comment_string, $graph, $graph_item);
	38	- }
	39	+ $txt_graph_items .= $graph_item_types{$graph_item["graph_type_id"]} . ":" . $comment_arg . " ";
	40	}
	41	}elseif (($graph_item_types{$graph_item["graph_type_id"]} == "GPRINT") && (!isset($graph_data_array["graph_nolegend"]))) {
	42	$graph_variables["text_format"][$graph_item_id] = str_replace(":", "\:", $graph_variables["text_format"][$graph_item_id]); /* escape colons */