diff options
author | Peter Wu | 2014-07-20 23:30:49 +0200 |
---|---|---|
committer | Peter Wu | 2014-07-20 23:30:49 +0200 |
commit | 4a737bc1abdbef7e0698b006704a26583a4c61df (patch) | |
tree | 7d5f51f76acd43d1aeda601dd7201e2c158bdae4 /type/GenericStacked.class.php | |
parent | security: Add missing input validation for plugin (diff) | |
download | apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.zip apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.gz apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.bz2 apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.xz |
Use a more secure command line building method
Previously, a command is built by string concatenation. Here, the
distinction between a value and multiple params got lost. Solve this
by using an array for shell arguments. As the escaping is now removed
from the `rrd_gen_graph` function, the canvas style needs to manually
add those quotes to make the JS code still work. That only supports
double-quotes, so hopefully nobody creates a name with a double quote
as that would break the fragile JS command line parser.
Separate the rrdtool options from the rrdtool graph command to make the
`$graph_type == 'canvas'` option work (it would otherwise not understand
the `rrdtool graph - -a PNG` option).
Merge the SVG and PNG cases as they are the same except for the
Content-Type header.
Fix a missing html escape in a debug style.
Diffstat (limited to 'type/GenericStacked.class.php')
-rw-r--r-- | type/GenericStacked.class.php | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/type/GenericStacked.class.php b/type/GenericStacked.class.php index a74ff18..d41c2ab 100644 --- a/type/GenericStacked.class.php +++ b/type/GenericStacked.class.php | |||
@@ -51,11 +51,11 @@ class Type_GenericStacked extends Type_Base { | |||
51 | foreach ($sources as $source) { | 51 | foreach ($sources as $source) { |
52 | $legend = empty($this->legend[$source]) ? $source : $this->legend[$source]; | 52 | $legend = empty($this->legend[$source]) ? $source : $this->legend[$source]; |
53 | $color = is_array($this->colors) ? (isset($this->colors[$source])?$this->colors[$source]:$this->colors[$c++]) : $this->colors; | 53 | $color = is_array($this->colors) ? (isset($this->colors[$source])?$this->colors[$source]:$this->colors[$c++]) : $this->colors; |
54 | $rrdgraph[] = sprintf('"LINE1:area_%s#%s:%s"', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend)); | 54 | $rrdgraph[] = sprintf('LINE1:area_%s#%s:%s', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend)); |
55 | $rrdgraph[] = sprintf('"GPRINT:min_%s:MIN:%s Min,"', crc32hex($source), $this->rrd_format); | 55 | $rrdgraph[] = sprintf('GPRINT:min_%s:MIN:%s Min,', crc32hex($source), $this->rrd_format); |
56 | $rrdgraph[] = sprintf('"GPRINT:avg_%s:AVERAGE:%s Avg,"', crc32hex($source), $this->rrd_format); | 56 | $rrdgraph[] = sprintf('GPRINT:avg_%s:AVERAGE:%s Avg,', crc32hex($source), $this->rrd_format); |
57 | $rrdgraph[] = sprintf('"GPRINT:max_%s:MAX:%s Max,"', crc32hex($source), $this->rrd_format); | 57 | $rrdgraph[] = sprintf('GPRINT:max_%s:MAX:%s Max,', crc32hex($source), $this->rrd_format); |
58 | $rrdgraph[] = sprintf('"GPRINT:avg_%s:LAST:%s Last\\l"', crc32hex($source), $this->rrd_format); | 58 | $rrdgraph[] = sprintf('GPRINT:avg_%s:LAST:%s Last\\l', crc32hex($source), $this->rrd_format); |
59 | } | 59 | } |
60 | 60 | ||
61 | return $rrdgraph; | 61 | return $rrdgraph; |