diff options
| author | Pim van den Berg | 2015-05-25 12:02:35 +0200 |
|---|---|---|
| committer | Pim van den Berg | 2015-05-25 12:11:31 +0200 |
| commit | a213f092ab2abc7d0033044b074a327f28287507 (patch) | |
| tree | aff9cbcc286291d71f05a3bebbaf1b34b6c35c72 /inc | |
| parent | inc/functions: make type argument of validate_get function exactly the same a... (diff) | |
| download | apt-panopticon_cgp-a213f092ab2abc7d0033044b074a327f28287507.zip apt-panopticon_cgp-a213f092ab2abc7d0033044b074a327f28287507.tar.gz apt-panopticon_cgp-a213f092ab2abc7d0033044b074a327f28287507.tar.bz2 apt-panopticon_cgp-a213f092ab2abc7d0033044b074a327f28287507.tar.xz | |
inc/functions: merge functions GET and validate_get
And make sure all input from $_GET variables are parsed and validated.
Diffstat (limited to 'inc')
| -rw-r--r-- | inc/functions.inc.php | 58 | ||||
| -rw-r--r-- | inc/html.inc.php | 10 |
2 files changed, 53 insertions, 15 deletions
diff --git a/inc/functions.inc.php b/inc/functions.inc.php index f667772..9e56868 100644 --- a/inc/functions.inc.php +++ b/inc/functions.inc.php | |||
| @@ -2,28 +2,66 @@ | |||
| 2 | 2 | ||
| 3 | # global functions | 3 | # global functions |
| 4 | 4 | ||
| 5 | function GET($index) { | 5 | function GET($index = NULL, $value = NULL) { |
| 6 | if (isset($_GET[$index])) | 6 | # parse all values from $_GET when no index is given |
| 7 | return $_GET[$index]; | 7 | if ($index === NULL) { |
| 8 | return null; | 8 | $arr = array(); |
| 9 | } | 9 | foreach($_GET as $i => $v) { |
| 10 | $arr[$i] = GET($i); | ||
| 11 | } | ||
| 12 | return $arr; | ||
| 13 | } | ||
| 14 | |||
| 15 | if (!isset($_GET[$index])) | ||
| 16 | return NULL; | ||
| 17 | |||
| 18 | if ($value === NULL) | ||
| 19 | $value = $_GET[$index]; | ||
| 10 | 20 | ||
| 11 | function validate_get($value, $type) { | 21 | $desc = array( |
| 12 | switch($type) { | 22 | 'h' => 'host', |
| 23 | 'p' => 'plugin', | ||
| 24 | 'c' => 'category', | ||
| 25 | 't' => 'type', | ||
| 26 | 'pi' => 'plugin instance', | ||
| 27 | 'ti' => 'type instance', | ||
| 28 | 's' => 'seconds', | ||
| 29 | 'x' => 'x-axis', | ||
| 30 | 'y' => 'y-axis', | ||
| 31 | ); | ||
| 32 | |||
| 33 | switch($index) { | ||
| 13 | case 'h': # host | 34 | case 'h': # host |
| 14 | if (!preg_match('/^[\w-.]+$/u', $value)) | 35 | if (!preg_match('/^[\w-.]+$/u', $value)) { |
| 36 | error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); | ||
| 15 | return NULL; | 37 | return NULL; |
| 38 | } | ||
| 16 | break; | 39 | break; |
| 17 | case 'p': # plugin | 40 | case 'p': # plugin |
| 18 | case 'c': # category | 41 | case 'c': # category |
| 19 | case 't': # type | 42 | case 't': # type |
| 20 | if (!preg_match('/^\w+$/u', $value)) | 43 | if (!preg_match('/^\w+$/u', $value)) { |
| 44 | error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); | ||
| 21 | return NULL; | 45 | return NULL; |
| 46 | } | ||
| 22 | break; | 47 | break; |
| 23 | case 'pi': # plugin instance | 48 | case 'pi': # plugin instance |
| 24 | case 'ti': # type instance | 49 | case 'ti': # type instance |
| 25 | if (!preg_match('/^[\w-]+$/u', $value)) | 50 | if (!preg_match('/^[\w-]+$/u', $value)) { |
| 51 | error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); | ||
| 52 | return NULL; | ||
| 53 | } | ||
| 54 | break; | ||
| 55 | case 's': # seconds | ||
| 56 | case 'x': # x-axis | ||
| 57 | case 'y': # y-axis | ||
| 58 | if (!is_numeric($value)) { | ||
| 59 | error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); | ||
| 26 | return NULL; | 60 | return NULL; |
| 61 | } | ||
| 62 | break; | ||
| 63 | default: | ||
| 64 | return NULL; | ||
| 27 | break; | 65 | break; |
| 28 | } | 66 | } |
| 29 | 67 | ||
diff --git a/inc/html.inc.php b/inc/html.inc.php index 3998f54..98081ce 100644 --- a/inc/html.inc.php +++ b/inc/html.inc.php | |||
| @@ -313,15 +313,15 @@ function host_summary($cat, $hosts) { | |||
| 313 | 313 | ||
| 314 | function breadcrumbs() { | 314 | function breadcrumbs() { |
| 315 | $path = ''; | 315 | $path = ''; |
| 316 | if (validate_get(GET('h'), 'h')) | 316 | if (GET('h')) |
| 317 | $path .= ' - '.ucfirst(GET('h')); | 317 | $path .= ' - '.ucfirst(GET('h')); |
| 318 | if (validate_get(GET('p'), 'p')) | 318 | if (GET('p')) |
| 319 | $path .= ' - '.ucfirst(GET('p')); | 319 | $path .= ' - '.ucfirst(GET('p')); |
| 320 | if (validate_get(GET('pi'), 'pi')) | 320 | if (GET('pi')) |
| 321 | $path .= ' - '.GET('pi'); | 321 | $path .= ' - '.GET('pi'); |
| 322 | if (validate_get(GET('t'), 't') && validate_get(GET('p'), 'p') && GET('t') != GET('p')) | 322 | if (GET('t') && GET('p') && GET('t') != GET('p')) |
| 323 | $path .= ' - '.GET('t'); | 323 | $path .= ' - '.GET('t'); |
| 324 | if (validate_get(GET('ti'), 'ti')) | 324 | if (GET('ti')) |
| 325 | $path .= ' - '.GET('ti'); | 325 | $path .= ' - '.GET('ti'); |
| 326 | 326 | ||
| 327 | return $path; | 327 | return $path; |