diff options
author | Pim van den Berg | 2015-05-25 12:02:35 +0200 |
---|---|---|
committer | Pim van den Berg | 2015-05-25 12:11:31 +0200 |
commit | a213f092ab2abc7d0033044b074a327f28287507 (patch) | |
tree | aff9cbcc286291d71f05a3bebbaf1b34b6c35c72 | |
parent | inc/functions: make type argument of validate_get function exactly the same a... (diff) | |
download | apt-panopticon_cgp-a213f092ab2abc7d0033044b074a327f28287507.zip apt-panopticon_cgp-a213f092ab2abc7d0033044b074a327f28287507.tar.gz apt-panopticon_cgp-a213f092ab2abc7d0033044b074a327f28287507.tar.bz2 apt-panopticon_cgp-a213f092ab2abc7d0033044b074a327f28287507.tar.xz |
inc/functions: merge functions GET and validate_get
And make sure all input from $_GET variables are parsed and validated.
Diffstat (limited to '')
-rw-r--r-- | detail.php | 17 | ||||
-rw-r--r-- | graph.php | 20 | ||||
-rw-r--r-- | host.php | 4 | ||||
-rw-r--r-- | inc/functions.inc.php | 58 | ||||
-rw-r--r-- | inc/html.inc.php | 10 |
5 files changed, 74 insertions, 35 deletions
@@ -15,12 +15,12 @@ if (empty($_GET['y'])) | |||
15 | if ($CONFIG['graph_type'] == 'hybrid') | 15 | if ($CONFIG['graph_type'] == 'hybrid') |
16 | $CONFIG['graph_type'] = 'canvas'; | 16 | $CONFIG['graph_type'] = 'canvas'; |
17 | 17 | ||
18 | $host = validate_get(GET('h'), 'h'); | 18 | $host = GET('h'); |
19 | $plugin = validate_get(GET('p'), 'p'); | 19 | $plugin = GET('p'); |
20 | $pinstance = validate_get(GET('pi'), 'pi'); | 20 | $pinstance = GET('pi'); |
21 | $category = validate_get(GET('c'), 'c'); | 21 | $category = GET('c'); |
22 | $type = validate_get(GET('t'), 't'); | 22 | $type = GET('t'); |
23 | $tinstance = validate_get(GET('ti'), 'ti'); | 23 | $tinstance = GET('ti'); |
24 | $seconds = GET('s'); | 24 | $seconds = GET('s'); |
25 | 25 | ||
26 | $selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin); | 26 | $selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin); |
@@ -40,7 +40,7 @@ plugins_list($host, $selected_plugins); | |||
40 | echo '<div class="graphs">'; | 40 | echo '<div class="graphs">'; |
41 | plugin_header($host, $plugin); | 41 | plugin_header($host, $plugin); |
42 | 42 | ||
43 | $args = $_GET; | 43 | $args = GET(); |
44 | print '<ul class="time-range">' . "\n"; | 44 | print '<ul class="time-range">' . "\n"; |
45 | foreach($CONFIG['term'] as $key => $s) { | 45 | foreach($CONFIG['term'] as $key => $s) { |
46 | $args['s'] = $s; | 46 | $args['s'] = $s; |
@@ -59,7 +59,8 @@ if ($CONFIG['graph_type'] == 'canvas') { | |||
59 | } else { | 59 | } else { |
60 | printf("<img src=\"%s%s\">\n", | 60 | printf("<img src=\"%s%s\">\n", |
61 | htmlentities($CONFIG['weburl']), | 61 | htmlentities($CONFIG['weburl']), |
62 | htmlentities(build_url('graph.php', $_GET))); | 62 | htmlentities(build_url('graph.php', GET())) |
63 | ); | ||
63 | } | 64 | } |
64 | echo '</div>'; | 65 | echo '</div>'; |
65 | echo "</fieldset>\n"; | 66 | echo "</fieldset>\n"; |
@@ -4,8 +4,8 @@ require_once 'conf/common.inc.php'; | |||
4 | require_once 'inc/functions.inc.php'; | 4 | require_once 'inc/functions.inc.php'; |
5 | require_once 'inc/collectd.inc.php'; | 5 | require_once 'inc/collectd.inc.php'; |
6 | 6 | ||
7 | $plugin = validate_get(GET('p'), 'p'); | 7 | $plugin = GET('p'); |
8 | $type = validate_get(GET('t'), 't'); | 8 | $type = GET('t'); |
9 | $width = GET('x') ? filter_var(GET('x'), FILTER_VALIDATE_INT, array( | 9 | $width = GET('x') ? filter_var(GET('x'), FILTER_VALIDATE_INT, array( |
10 | 'min_range' => 10, | 10 | 'min_range' => 10, |
11 | 'max_range' => $CONFIG['max-width'] | 11 | 'max_range' => $CONFIG['max-width'] |
@@ -18,12 +18,12 @@ $height = GET('y') ? filter_var(GET('y'), FILTER_VALIDATE_INT, array( | |||
18 | if ($width === NULL || $height === NULL) { | 18 | if ($width === NULL || $height === NULL) { |
19 | error_log(sprintf('Invalid image dimension, x="%s", y="%s"', | 19 | error_log(sprintf('Invalid image dimension, x="%s", y="%s"', |
20 | urlencode(GET('x')), | 20 | urlencode(GET('x')), |
21 | urlencode(GET('y')))); | 21 | urlencode(GET('y')) |
22 | )); | ||
22 | error_image(); | 23 | error_image(); |
23 | } | 24 | } |
24 | 25 | ||
25 | if (validate_get(GET('h'), 'h') === NULL) { | 26 | if (GET('h') === NULL) { |
26 | error_log('Invalid host: "' . urlencode(GET('h')) . '"'); | ||
27 | error_image(); | 27 | error_image(); |
28 | } | 28 | } |
29 | 29 | ||
@@ -31,7 +31,7 @@ $typesdb = parse_typesdb_file($CONFIG['typesdb']); | |||
31 | 31 | ||
32 | if ($plugin == 'aggregation') { | 32 | if ($plugin == 'aggregation') { |
33 | $pi = explode("-", GET('pi')); | 33 | $pi = explode("-", GET('pi')); |
34 | $plugin = $_GET['p'] = validate_get($pi[0], 'p'); | 34 | $plugin = $_GET['p'] = GET('p', $pi[0]); |
35 | } | 35 | } |
36 | 36 | ||
37 | # plugin json | 37 | # plugin json |
@@ -49,19 +49,19 @@ if (!isset($plugin_json[$type]['type'])) | |||
49 | switch ($plugin_json[$type]['type']) { | 49 | switch ($plugin_json[$type]['type']) { |
50 | case 'stacked': | 50 | case 'stacked': |
51 | require_once 'type/GenericStacked.class.php'; | 51 | require_once 'type/GenericStacked.class.php'; |
52 | $obj = new Type_GenericStacked($CONFIG, $_GET); | 52 | $obj = new Type_GenericStacked($CONFIG, GET()); |
53 | break; | 53 | break; |
54 | case 'io': | 54 | case 'io': |
55 | require_once 'type/GenericIO.class.php'; | 55 | require_once 'type/GenericIO.class.php'; |
56 | $obj = new Type_GenericIO($CONFIG, $_GET); | 56 | $obj = new Type_GenericIO($CONFIG, GET()); |
57 | break; | 57 | break; |
58 | case 'uptime': | 58 | case 'uptime': |
59 | require_once 'type/Uptime.class.php'; | 59 | require_once 'type/Uptime.class.php'; |
60 | $obj = new Type_Uptime($CONFIG, $_GET); | 60 | $obj = new Type_Uptime($CONFIG, GET()); |
61 | break; | 61 | break; |
62 | default: | 62 | default: |
63 | require_once 'type/Default.class.php'; | 63 | require_once 'type/Default.class.php'; |
64 | $obj = new Type_Default($CONFIG, $_GET); | 64 | $obj = new Type_Default($CONFIG, GET()); |
65 | break; | 65 | break; |
66 | } | 66 | } |
67 | 67 | ||
@@ -4,8 +4,8 @@ require_once 'conf/common.inc.php'; | |||
4 | require_once 'inc/html.inc.php'; | 4 | require_once 'inc/html.inc.php'; |
5 | require_once 'inc/collectd.inc.php'; | 5 | require_once 'inc/collectd.inc.php'; |
6 | 6 | ||
7 | $host = validate_get(GET('h'), 'h'); | 7 | $host = GET('h'); |
8 | $plugin = validate_get(GET('p'), 'p'); | 8 | $plugin = GET('p'); |
9 | 9 | ||
10 | $selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin); | 10 | $selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin); |
11 | 11 | ||
diff --git a/inc/functions.inc.php b/inc/functions.inc.php index f667772..9e56868 100644 --- a/inc/functions.inc.php +++ b/inc/functions.inc.php | |||
@@ -2,28 +2,66 @@ | |||
2 | 2 | ||
3 | # global functions | 3 | # global functions |
4 | 4 | ||
5 | function GET($index) { | 5 | function GET($index = NULL, $value = NULL) { |
6 | if (isset($_GET[$index])) | 6 | # parse all values from $_GET when no index is given |
7 | return $_GET[$index]; | 7 | if ($index === NULL) { |
8 | return null; | 8 | $arr = array(); |
9 | } | 9 | foreach($_GET as $i => $v) { |
10 | $arr[$i] = GET($i); | ||
11 | } | ||
12 | return $arr; | ||
13 | } | ||
14 | |||
15 | if (!isset($_GET[$index])) | ||
16 | return NULL; | ||
17 | |||
18 | if ($value === NULL) | ||
19 | $value = $_GET[$index]; | ||
10 | 20 | ||
11 | function validate_get($value, $type) { | 21 | $desc = array( |
12 | switch($type) { | 22 | 'h' => 'host', |
23 | 'p' => 'plugin', | ||
24 | 'c' => 'category', | ||
25 | 't' => 'type', | ||
26 | 'pi' => 'plugin instance', | ||
27 | 'ti' => 'type instance', | ||
28 | 's' => 'seconds', | ||
29 | 'x' => 'x-axis', | ||
30 | 'y' => 'y-axis', | ||
31 | ); | ||
32 | |||
33 | switch($index) { | ||
13 | case 'h': # host | 34 | case 'h': # host |
14 | if (!preg_match('/^[\w-.]+$/u', $value)) | 35 | if (!preg_match('/^[\w-.]+$/u', $value)) { |
36 | error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); | ||
15 | return NULL; | 37 | return NULL; |
38 | } | ||
16 | break; | 39 | break; |
17 | case 'p': # plugin | 40 | case 'p': # plugin |
18 | case 'c': # category | 41 | case 'c': # category |
19 | case 't': # type | 42 | case 't': # type |
20 | if (!preg_match('/^\w+$/u', $value)) | 43 | if (!preg_match('/^\w+$/u', $value)) { |
44 | error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); | ||
21 | return NULL; | 45 | return NULL; |
46 | } | ||
22 | break; | 47 | break; |
23 | case 'pi': # plugin instance | 48 | case 'pi': # plugin instance |
24 | case 'ti': # type instance | 49 | case 'ti': # type instance |
25 | if (!preg_match('/^[\w-]+$/u', $value)) | 50 | if (!preg_match('/^[\w-]+$/u', $value)) { |
51 | error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); | ||
52 | return NULL; | ||
53 | } | ||
54 | break; | ||
55 | case 's': # seconds | ||
56 | case 'x': # x-axis | ||
57 | case 'y': # y-axis | ||
58 | if (!is_numeric($value)) { | ||
59 | error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); | ||
26 | return NULL; | 60 | return NULL; |
61 | } | ||
62 | break; | ||
63 | default: | ||
64 | return NULL; | ||
27 | break; | 65 | break; |
28 | } | 66 | } |
29 | 67 | ||
diff --git a/inc/html.inc.php b/inc/html.inc.php index 3998f54..98081ce 100644 --- a/inc/html.inc.php +++ b/inc/html.inc.php | |||
@@ -313,15 +313,15 @@ function host_summary($cat, $hosts) { | |||
313 | 313 | ||
314 | function breadcrumbs() { | 314 | function breadcrumbs() { |
315 | $path = ''; | 315 | $path = ''; |
316 | if (validate_get(GET('h'), 'h')) | 316 | if (GET('h')) |
317 | $path .= ' - '.ucfirst(GET('h')); | 317 | $path .= ' - '.ucfirst(GET('h')); |
318 | if (validate_get(GET('p'), 'p')) | 318 | if (GET('p')) |
319 | $path .= ' - '.ucfirst(GET('p')); | 319 | $path .= ' - '.ucfirst(GET('p')); |
320 | if (validate_get(GET('pi'), 'pi')) | 320 | if (GET('pi')) |
321 | $path .= ' - '.GET('pi'); | 321 | $path .= ' - '.GET('pi'); |
322 | if (validate_get(GET('t'), 't') && validate_get(GET('p'), 'p') && GET('t') != GET('p')) | 322 | if (GET('t') && GET('p') && GET('t') != GET('p')) |
323 | $path .= ' - '.GET('t'); | 323 | $path .= ' - '.GET('t'); |
324 | if (validate_get(GET('ti'), 'ti')) | 324 | if (GET('ti')) |
325 | $path .= ' - '.GET('ti'); | 325 | $path .= ' - '.GET('ti'); |
326 | 326 | ||
327 | return $path; | 327 | return $path; |