aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorPeter Wu2014-07-21 00:11:24 +0200
committerPeter Wu2014-07-21 00:11:24 +0200
commitda067f6df3064c019ae9c22432ccf99a08a84915 (patch)
tree03fd70b003ac5ef075bfe483f1325171ce5fe2a8
parentFix regex for strange datadirs (diff)
downloadapt-panopticon_cgp-da067f6df3064c019ae9c22432ccf99a08a84915.zip
apt-panopticon_cgp-da067f6df3064c019ae9c22432ccf99a08a84915.tar.gz
apt-panopticon_cgp-da067f6df3064c019ae9c22432ccf99a08a84915.tar.bz2
apt-panopticon_cgp-da067f6df3064c019ae9c22432ccf99a08a84915.tar.xz
Fix overly permissive hostname validation, fix host check
`[\w\W]` matches EVERYTHING. Validation failed. Also remove `\d` as that `\w` is a superset of it. Also check that the host parameter is actually non-empty, otherwise `collectd_plugins` will happily return results as the directory `$CONFIG['datadir'] . '/' . ''` trivially exists...
-rw-r--r--host.php2
-rw-r--r--inc/functions.inc.php4
2 files changed, 3 insertions, 3 deletions
diff --git a/host.php b/host.php
index 97f4dae..a19aecc 100644
--- a/host.php
+++ b/host.php
@@ -15,7 +15,7 @@ printf("<fieldset id=\"%s\">", htmlentities($host));
15printf("<legend>%s</legend>", htmlentities($host)); 15printf("<legend>%s</legend>", htmlentities($host));
16 16
17 17
18if (!$plugins = collectd_plugins($host)) { 18if (!strlen($host) || !$plugins = collectd_plugins($host)) {
19 echo "Unknown host\n"; 19 echo "Unknown host\n";
20 return false; 20 return false;
21} 21}
diff --git a/inc/functions.inc.php b/inc/functions.inc.php
index fed4b10..c32b3ef 100644
--- a/inc/functions.inc.php
+++ b/inc/functions.inc.php
@@ -11,7 +11,7 @@ function GET($index) {
11function validate_get($value, $type) { 11function validate_get($value, $type) {
12 switch($type) { 12 switch($type) {
13 case 'host': 13 case 'host':
14 if (!preg_match('/^[\d\w\W]+$/u', $value)) 14 if (!preg_match('/^[\w-.]+$/u', $value))
15 return NULL; 15 return NULL;
16 break; 16 break;
17 case 'plugin': 17 case 'plugin':
@@ -22,7 +22,7 @@ function validate_get($value, $type) {
22 break; 22 break;
23 case 'pinstance': 23 case 'pinstance':
24 case 'tinstance': 24 case 'tinstance':
25 if (!preg_match('/^[\d\w-]+$/u', $value)) 25 if (!preg_match('/^[\w-]+$/u', $value))
26 return NULL; 26 return NULL;
27 break; 27 break;
28 } 28 }