Use a more secure command line building method

Previously, a command is built by string concatenation. Here, the distinction between a value and multiple params got lost. Solve this by using an array for shell arguments. As the escaping is now removed from the `rrd_gen_graph` function, the canvas style needs to manually add those quotes to make the JS code still work. That only supports double-quotes, so hopefully nobody creates a name with a double quote as that would break the fragile JS command line parser. Separate the rrdtool options from the rrdtool graph command to make the `$graph_type == 'canvas'` option work (it would otherwise not understand the `rrdtool graph - -a PNG` option). Merge the SVG and PNG cases as they are the same except for the Content-Type header. Fix a missing html escape in a debug style.
author: Peter Wu 2014-07-20 23:30:49 +0200
committer: Peter Wu 2014-07-20 23:30:49 +0200
commit: 4a737bc1abdbef7e0698b006704a26583a4c61df (patch)
tree: 7d5f51f76acd43d1aeda601dd7201e2c158bdae4 /type/GenericStacked.class.php
parent: security: Add missing input validation for plugin (diff)
download: apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.zip
apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.gz
apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.bz2
apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.xz
1 files changed, 5 insertions, 5 deletions
diff --git a/type/GenericStacked.class.php b/type/GenericStacked.class.php
index a74ff18..d41c2ab 100644
--- a/type/GenericStacked.class.php
+++ b/type/GenericStacked.class.php
@@ -51,11 +51,11 @@ class Type_GenericStacked extends Type_Base {
                foreach ($sources as $source) {
                        $legend = empty($this->legend[$source]) ? $source : $this->legend[$source];
                        $color = is_array($this->colors) ? (isset($this->colors[$source])?$this->colors[$source]:$this->colors[$c++]) : $this->colors;
-                        $rrdgraph[] = sprintf('"LINE1:area_%s#%s:%s"', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend));
+                        $rrdgraph[] = sprintf('LINE1:area_%s#%s:%s', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend));
-                        $rrdgraph[] = sprintf('"GPRINT:min_%s:MIN:%s Min,"', crc32hex($source), $this->rrd_format);
+                        $rrdgraph[] = sprintf('GPRINT:min_%s:MIN:%s Min,', crc32hex($source), $this->rrd_format);
-                        $rrdgraph[] = sprintf('"GPRINT:avg_%s:AVERAGE:%s Avg,"', crc32hex($source), $this->rrd_format);
+                        $rrdgraph[] = sprintf('GPRINT:avg_%s:AVERAGE:%s Avg,', crc32hex($source), $this->rrd_format);
-                        $rrdgraph[] = sprintf('"GPRINT:max_%s:MAX:%s Max,"', crc32hex($source), $this->rrd_format);
+                        $rrdgraph[] = sprintf('GPRINT:max_%s:MAX:%s Max,', crc32hex($source), $this->rrd_format);
-                        $rrdgraph[] = sprintf('"GPRINT:avg_%s:LAST:%s Last\\l"', crc32hex($source), $this->rrd_format);
+                        $rrdgraph[] = sprintf('GPRINT:avg_%s:LAST:%s Last\\l', crc32hex($source), $this->rrd_format);
                }
                return $rrdgraph;
author	Peter Wu	2014-07-20 23:30:49 +0200
committer	Peter Wu	2014-07-20 23:30:49 +0200
commit	4a737bc1abdbef7e0698b006704a26583a4c61df (patch)
tree	7d5f51f76acd43d1aeda601dd7201e2c158bdae4 /type/GenericStacked.class.php
parent	security: Add missing input validation for plugin (diff)
download	apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.zip apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.gz apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.bz2 apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.xz

diff --git a/type/GenericStacked.class.php b/type/GenericStacked.class.php index a74ff18..d41c2ab 100644 --- a/type/GenericStacked.class.php +++ b/type/GenericStacked.class.php
@@ -51,11 +51,11 @@ class Type_GenericStacked extends Type_Base {
51	foreach ($sources as $source) {	51	foreach ($sources as $source) {
52	$legend = empty($this->legend[$source]) ? $source : $this->legend[$source];	52	$legend = empty($this->legend[$source]) ? $source : $this->legend[$source];
53	$color = is_array($this->colors) ? (isset($this->colors[$source])?$this->colors[$source]:$this->colors[$c++]) : $this->colors;	53	$color = is_array($this->colors) ? (isset($this->colors[$source])?$this->colors[$source]:$this->colors[$c++]) : $this->colors;
54	$rrdgraph[] = sprintf('"LINE1:area_%s#%s:%s"', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend));	54	$rrdgraph[] = sprintf('LINE1:area_%s#%s:%s', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend));
55	$rrdgraph[] = sprintf('"GPRINT:min_%s:MIN:%s Min,"', crc32hex($source), $this->rrd_format);	55	$rrdgraph[] = sprintf('GPRINT:min_%s:MIN:%s Min,', crc32hex($source), $this->rrd_format);
56	$rrdgraph[] = sprintf('"GPRINT:avg_%s:AVERAGE:%s Avg,"', crc32hex($source), $this->rrd_format);	56	$rrdgraph[] = sprintf('GPRINT:avg_%s:AVERAGE:%s Avg,', crc32hex($source), $this->rrd_format);
57	$rrdgraph[] = sprintf('"GPRINT:max_%s:MAX:%s Max,"', crc32hex($source), $this->rrd_format);	57	$rrdgraph[] = sprintf('GPRINT:max_%s:MAX:%s Max,', crc32hex($source), $this->rrd_format);
58	$rrdgraph[] = sprintf('"GPRINT:avg_%s:LAST:%s Last\\l"', crc32hex($source), $this->rrd_format);	58	$rrdgraph[] = sprintf('GPRINT:avg_%s:LAST:%s Last\\l', crc32hex($source), $this->rrd_format);
59	}	59	}
60		60
61	return $rrdgraph;	61	return $rrdgraph;