]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/cacti/cacti-0.8.8b-sql-injection-shell-escaping.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core91: Add changed pppsetup.cgi and language files
[ipfire-2.x.git] / src / patches / cacti / cacti-0.8.8b-sql-injection-shell-escaping.patch
1 ------------------------------------------------------------------------
2 r7439 | rony | 2014-03-30 17:52:10 -0500 (Sun, 30 Mar 2014) | 5 lines
3
4 bug#0002405: SQL injection in graph_xport.php
5
6 - Fixed form input validation problems
7 - Fixed rrd export and graph shell escape issues
8
9 ------------------------------------------------------------------------
10 Index: branches/0.8.8/graph_xport.php
11 ===================================================================
12 --- branches/0.8.8/graph_xport.php (revision 7438)
13 +++ branches/0.8.8/graph_xport.php (revision 7439)
14 @@ -47,43 +47,48 @@
15
16 $graph_data_array = array();
17
18 +/* ================= input validation ================= */
19 +input_validate_input_number(get_request_var("local_graph_id"));
20 +input_validate_input_number(get_request_var("rra_id"));
21 +/* ==================================================== */
22 +
23 /* override: graph start time (unix time) */
24 -if (!empty($_GET["graph_start"]) && $_GET["graph_start"] < 1600000000) {
25 - $graph_data_array["graph_start"] = $_GET["graph_start"];
26 +if (!empty($_GET["graph_start"]) && is_numeric($_GET["graph_start"] && $_GET["graph_start"] < 1600000000)) {
27 + $graph_data_array["graph_start"] = get_request_var("graph_start");
28 }
29
30 /* override: graph end time (unix time) */
31 -if (!empty($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
32 - $graph_data_array["graph_end"] = $_GET["graph_end"];
33 +if (!empty($_GET["graph_end"]) && is_numeric($_GET["graph_end"]) && $_GET["graph_end"] < 1600000000) {
34 + $graph_data_array["graph_end"] = get_request_var("graph_end");
35 }
36
37 /* override: graph height (in pixels) */
38 -if (!empty($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
39 - $graph_data_array["graph_height"] = $_GET["graph_height"];
40 +if (!empty($_GET["graph_height"]) && is_numeric($_GET["graph_height"]) && $_GET["graph_height"] < 3000) {
41 + $graph_data_array["graph_height"] = get_request_var("graph_height");
42 }
43
44 /* override: graph width (in pixels) */
45 -if (!empty($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
46 - $graph_data_array["graph_width"] = $_GET["graph_width"];
47 +if (!empty($_GET["graph_width"]) && is_numeric($_GET["graph_width"]) && $_GET["graph_width"] < 3000) {
48 + $graph_data_array["graph_width"] = get_request_var("graph_width");
49 }
50
51 /* override: skip drawing the legend? */
52 if (!empty($_GET["graph_nolegend"])) {
53 - $graph_data_array["graph_nolegend"] = $_GET["graph_nolegend"];
54 + $graph_data_array["graph_nolegend"] = get_request_var("graph_nolegend");
55 }
56
57 /* print RRDTool graph source? */
58 if (!empty($_GET["show_source"])) {
59 - $graph_data_array["print_source"] = $_GET["show_source"];
60 + $graph_data_array["print_source"] = get_request_var("show_source");
61 }
62
63 -$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . $_REQUEST["local_graph_id"] . "'");
64 +$graph_info = db_fetch_row("SELECT * FROM graph_templates_graph WHERE local_graph_id='" . get_request_var("local_graph_id") . "'");
65
66 /* for bandwidth, NThPercentile */
67 $xport_meta = array();
68
69 /* Get graph export */
70 -$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], $_GET["rra_id"], $graph_data_array, $xport_meta);
71 +$xport_array = @rrdtool_function_xport($_GET["local_graph_id"], get_request_var("rra_id"), $graph_data_array, $xport_meta);
72
73 /* Make graph title the suggested file name */
74 if (is_array($xport_array["meta"])) {
75 Index: branches/0.8.8/lib/rrd.php
76 ===================================================================
77 --- branches/0.8.8/lib/rrd.php (revision 7438)
78 +++ branches/0.8.8/lib/rrd.php (revision 7439)
79 @@ -865,13 +865,13 @@
80 /* basic graph options */
81 $graph_opts .=
82 "--imgformat=" . $image_types{$graph["image_format_id"]} . RRD_NL .
83 - "--start=$graph_start" . RRD_NL .
84 - "--end=$graph_end" . RRD_NL .
85 + "--start=" . cacti_escapeshellarg($graph_start) . RRD_NL .
86 + "--end=" . cacti_escapeshellarg($graph_end) . RRD_NL .
87 "--title=" . cacti_escapeshellarg($graph["title_cache"]) . RRD_NL .
88 "$rigid" .
89 - "--base=" . $graph["base_value"] . RRD_NL .
90 - "--height=$graph_height" . RRD_NL .
91 - "--width=$graph_width" . RRD_NL .
92 + "--base=" . cacti_escapeshellarg($graph["base_value"]) . RRD_NL .
93 + "--height=" . cacti_escapeshellarg($graph_height) . RRD_NL .
94 + "--width=" . cacti_escapeshellarg($graph_width) . RRD_NL .
95 "$scale" .
96 "$unit_value" .
97 "$unit_exponent_value" .
98 @@ -1606,8 +1606,8 @@
99
100 /* basic export options */
101 $xport_opts =
102 - "--start=$xport_start" . RRD_NL .
103 - "--end=$xport_end" . RRD_NL .
104 + "--start=" . cacti_escapeshellarg($xport_start) . RRD_NL .
105 + "--end=" . cacti_escapeshellarg($xport_end) . RRD_NL .
106 "--maxrows=10000" . RRD_NL;
107
108 $xport_defs = "";
109 @@ -1997,7 +1997,7 @@
110 $stacked_columns["col" . $j] = ($graph_item_types{$xport_item["graph_type_id"]} == "STACK") ? 1 : 0;
111 $j++;
112
113 - $txt_xport_items .= "XPORT:" . $data_source_name . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
114 + $txt_xport_items .= "XPORT:" . cacti_escapeshellarg($data_source_name) . ":" . str_replace(":", "", cacti_escapeshellarg($legend_name)) ;
115 }else{
116 $need_rrd_nl = FALSE;
117 }
IPFire 2.x development tree