diff options
| author | Peter Wu | 2014-07-21 11:09:21 +0200 |
|---|---|---|
| committer | Peter Wu | 2014-07-21 11:09:21 +0200 |
| commit | ed418551cdb76a72c1323fd32cb3ef6f58e697d5 (patch) | |
| tree | dba230c2b1b007dbc3fd768badad0e0a999d4b7e | |
| parent | Fix overly permissive hostname validation, fix host check (diff) | |
| download | apt-panopticon_cgp-ed418551cdb76a72c1323fd32cb3ef6f58e697d5.zip apt-panopticon_cgp-ed418551cdb76a72c1323fd32cb3ef6f58e697d5.tar.gz apt-panopticon_cgp-ed418551cdb76a72c1323fd32cb3ef6f58e697d5.tar.bz2 apt-panopticon_cgp-ed418551cdb76a72c1323fd32cb3ef6f58e697d5.tar.xz | |
Better x and y validation, report 400 on errors
Report 400 Bad Request on query errors instead of reporting 200 OK
(which can be cached).
Add some additional validation for the 'x' and 'y' parameters, to catch
underflow (test with `x=-10` for example). Also fix a typo in the error
message and include more details (the actual error).
| -rw-r--r-- | graph.php | 22 | ||||
| -rw-r--r-- | inc/functions.inc.php | 2 |
2 files changed, 16 insertions, 8 deletions
| @@ -6,16 +6,24 @@ require_once 'inc/collectd.inc.php'; | |||
| 6 | 6 | ||
| 7 | $plugin = validate_get(GET('p'), 'plugin'); | 7 | $plugin = validate_get(GET('p'), 'plugin'); |
| 8 | $type = validate_get(GET('t'), 'type'); | 8 | $type = validate_get(GET('t'), 'type'); |
| 9 | $width = empty($_GET['x']) ? $CONFIG['width'] : $_GET['x']; | 9 | $width = GET('x') ? filter_input(INPUT_GET, 'x', FILTER_VALIDATE_INT, array( |
| 10 | $height = empty($_GET['y']) ? $CONFIG['height'] : $_GET['y']; | 10 | 'min_range' => 10, |
| 11 | 11 | 'max_range' => $CONFIG['max-width'] | |
| 12 | if (validate_get(GET('h'), 'host') === NULL) { | 12 | )) : $CONFIG['width']; |
| 13 | error_log('CGP Error: plugin contains unknown characters'); | 13 | $height = GET('y') ? filter_input(INPUT_GET, 'y', FILTER_VALIDATE_INT, array( |
| 14 | 'min_range' => 10, | ||
| 15 | 'max_range' => $CONFIG['max-height'] | ||
| 16 | )) : $CONFIG['height']; | ||
| 17 | |||
| 18 | if ($width === NULL || $height === NULL) { | ||
| 19 | error_log(sprintf('Invalid image dimension, x="%s", y="%s"', | ||
| 20 | urlencode(GET('x')), | ||
| 21 | urlencode(GET('y')))); | ||
| 14 | error_image(); | 22 | error_image(); |
| 15 | } | 23 | } |
| 16 | 24 | ||
| 17 | if ($width > $CONFIG['max-width'] || $height > $CONFIG['max-height']) { | 25 | if (validate_get(GET('h'), 'host') === NULL) { |
| 18 | error_log('Resquested image is too large. Please configure max-width and max-height.'); | 26 | error_log('Invalid host: "' . urlencode(GET('h')) . '"'); |
| 19 | error_image(); | 27 | error_image(); |
| 20 | } | 28 | } |
| 21 | 29 | ||
diff --git a/inc/functions.inc.php b/inc/functions.inc.php index c32b3ef..3664d78 100644 --- a/inc/functions.inc.php +++ b/inc/functions.inc.php | |||
| @@ -55,7 +55,7 @@ function crc32hex($str) { | |||
| 55 | } | 55 | } |
| 56 | 56 | ||
| 57 | function error_image() { | 57 | function error_image() { |
| 58 | header("Content-Type: image/png"); | 58 | header("Content-Type: image/png", true, 400); |
| 59 | readfile('layout/error.png'); | 59 | readfile('layout/error.png'); |
| 60 | exit; | 60 | exit; |
| 61 | } | 61 | } |