Use a more secure command line building method

Previously, a command is built by string concatenation. Here, the
distinction between a value and multiple params got lost. Solve this
by using an array for shell arguments. As the escaping is now removed
from the `rrd_gen_graph` function, the canvas style needs to manually
add those quotes to make the JS code still work. That only supports
double-quotes, so hopefully nobody creates a name with a double quote
as that would break the fragile JS command line parser.

Separate the rrdtool options from the rrdtool graph command to make the
`$graph_type == 'canvas'` option work (it would otherwise not understand
the `rrdtool graph - -a PNG` option).

Merge the SVG and PNG cases as they are the same except for the
Content-Type header.

Fix a missing html escape in a debug style.

1 files changed, 2 insertions, 2 deletions

diff --git a/conf/config.php b/conf/config.php
index 30eaaf9..57a0188 100644
--- a/conf/config.php
+++ b/conf/config.php
@@ -12,8 +12,8 @@ $CONFIG['typesdb'][] = '/usr/share/collectd/types.db';
 # rrdtool executable
 $CONFIG['rrdtool'] = '/usr/bin/rrdtool';
 
-# rrdtool special options
-$CONFIG['rrdtool_opts'] = '';
+# rrdtool special command-line options
+$CONFIG['rrdtool_opts'] = [];
 
 # category of hosts to show on main page
 #$CONFIG['cat']['category1'] = array('host1', 'host2');