Use a more secure command line building method

Previously, a command is built by string concatenation. Here, the
distinction between a value and multiple params got lost. Solve this
by using an array for shell arguments. As the escaping is now removed
from the `rrd_gen_graph` function, the canvas style needs to manually
add those quotes to make the JS code still work. That only supports
double-quotes, so hopefully nobody creates a name with a double quote
as that would break the fragile JS command line parser.

Separate the rrdtool options from the rrdtool graph command to make the
`$graph_type == 'canvas'` option work (it would otherwise not understand
the `rrdtool graph - -a PNG` option).

Merge the SVG and PNG cases as they are the same except for the
Content-Type header.

Fix a missing html escape in a debug style.

1 files changed, 10 insertions, 1 deletions

diff --git a/graph.php b/graph.php
index 1727c1b..3e33b92 100644
--- a/graph.php
+++ b/graph.php
@@ -86,7 +86,16 @@ if (isset($plugin_json[$type]['vertical'])) {
 }
 
 if (isset($plugin_json[$type]['rrdtool_opts'])) {
-        $obj->rrdtool_opts[] = $plugin_json[$type]['rrdtool_opts'];
+        $rrdtool_extra_opts = $plugin_json[$type]['rrdtool_opts'];
+        # compatibility with plugins which specify arguments as string
+        if (is_string($rrdtool_extra_opts)) {
+                $rrdtool_extra_opts = explode(' ', $rrdtool_extra_opts);
+        }
+
+        $obj->rrdtool_opts = array_merge(
+                $obj->rrdtool_opts,
+                $rrdtool_extra_opts
+        );
 }
 
 if (isset($plugin_json[$type]['datasize']) and $plugin_json[$type]['datasize'])