Use a more secure command line building method

Previously, a command is built by string concatenation. Here, the distinction between a value and multiple params got lost. Solve this by using an array for shell arguments. As the escaping is now removed from the `rrd_gen_graph` function, the canvas style needs to manually add those quotes to make the JS code still work. That only supports double-quotes, so hopefully nobody creates a name with a double quote as that would break the fragile JS command line parser. Separate the rrdtool options from the rrdtool graph command to make the `$graph_type == 'canvas'` option work (it would otherwise not understand the `rrdtool graph - -a PNG` option). Merge the SVG and PNG cases as they are the same except for the Content-Type header. Fix a missing html escape in a debug style.
author: Peter Wu 2014-07-20 23:30:49 +0200
committer: Peter Wu 2014-07-20 23:30:49 +0200
commit: 4a737bc1abdbef7e0698b006704a26583a4c61df (patch)
tree: 7d5f51f76acd43d1aeda601dd7201e2c158bdae4 /type/Uptime.class.php
parent: security: Add missing input validation for plugin (diff)
download: apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.zip
apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.gz
apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.bz2
apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.xz
1 files changed, 6 insertions, 6 deletions
diff --git a/type/Uptime.class.php b/type/Uptime.class.php
index e57df0b..52af3a4 100644
--- a/type/Uptime.class.php
+++ b/type/Uptime.class.php
@@ -45,16 +45,16 @@ class Type_Uptime extends Type_Base {
                        $color = is_array($this->colors) ? (isset($this->colors[$source])?$this->colors[$source]:$this->colors[$c++]) : $this->colors;
                        //current value
-                        $rrdgraph[] = sprintf('"LINE1:area_%s#%s:%s"', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend));
+                        $rrdgraph[] = sprintf('LINE1:area_%s#%s:%s', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend));
-                        $rrdgraph[] = sprintf('"GPRINT:c_avg_%s:LAST:%s days\\l"', crc32hex($source), $this->rrd_format);
+                        $rrdgraph[] = sprintf('GPRINT:c_avg_%s:LAST:%s days\\l', crc32hex($source), $this->rrd_format);
                        //max value
-                        $rrdgraph[] = sprintf('"LINE1:v_max_%s#FF0000:Maximum:dashes"', crc32hex($source));
+                        $rrdgraph[] = sprintf('LINE1:v_max_%s#FF0000:Maximum:dashes', crc32hex($source));
-                        $rrdgraph[] = sprintf('"GPRINT:v_max_%s:%s days\\l"', crc32hex($source), $this->rrd_format);
+                        $rrdgraph[] = sprintf('GPRINT:v_max_%s:%s days\\l', crc32hex($source), $this->rrd_format);
                        //avg value
-                        $rrdgraph[] = sprintf('"LINE1:v_avg_%s#0000FF:Average:dashes"', crc32hex($source));
+                        $rrdgraph[] = sprintf('LINE1:v_avg_%s#0000FF:Average:dashes', crc32hex($source));
-                        $rrdgraph[] = sprintf('"GPRINT:v_avg_%s:%s days\\l"', crc32hex($source), $this->rrd_format);
+                        $rrdgraph[] = sprintf('GPRINT:v_avg_%s:%s days\\l', crc32hex($source), $this->rrd_format);
                }
                return $rrdgraph;
author	Peter Wu	2014-07-20 23:30:49 +0200
committer	Peter Wu	2014-07-20 23:30:49 +0200
commit	4a737bc1abdbef7e0698b006704a26583a4c61df (patch)
tree	7d5f51f76acd43d1aeda601dd7201e2c158bdae4 /type/Uptime.class.php
parent	security: Add missing input validation for plugin (diff)
download	apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.zip apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.gz apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.bz2 apt-panopticon_cgp-4a737bc1abdbef7e0698b006704a26583a4c61df.tar.xz

diff --git a/type/Uptime.class.php b/type/Uptime.class.php index e57df0b..52af3a4 100644 --- a/type/Uptime.class.php +++ b/type/Uptime.class.php
@@ -45,16 +45,16 @@ class Type_Uptime extends Type_Base {
45	$color = is_array($this->colors) ? (isset($this->colors[$source])?$this->colors[$source]:$this->colors[$c++]) : $this->colors;	45	$color = is_array($this->colors) ? (isset($this->colors[$source])?$this->colors[$source]:$this->colors[$c++]) : $this->colors;
46		46
47	//current value	47	//current value
48	$rrdgraph[] = sprintf('"LINE1:area_%s#%s:%s"', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend));	48	$rrdgraph[] = sprintf('LINE1:area_%s#%s:%s', crc32hex($source), $this->validate_color($color), $this->rrd_escape($legend));
49	$rrdgraph[] = sprintf('"GPRINT:c_avg_%s:LAST:%s days\\l"', crc32hex($source), $this->rrd_format);	49	$rrdgraph[] = sprintf('GPRINT:c_avg_%s:LAST:%s days\\l', crc32hex($source), $this->rrd_format);
50		50
51	//max value	51	//max value
52	$rrdgraph[] = sprintf('"LINE1:v_max_%s#FF0000:Maximum:dashes"', crc32hex($source));	52	$rrdgraph[] = sprintf('LINE1:v_max_%s#FF0000:Maximum:dashes', crc32hex($source));
53	$rrdgraph[] = sprintf('"GPRINT:v_max_%s:%s days\\l"', crc32hex($source), $this->rrd_format);	53	$rrdgraph[] = sprintf('GPRINT:v_max_%s:%s days\\l', crc32hex($source), $this->rrd_format);
54		54
55	//avg value	55	//avg value
56	$rrdgraph[] = sprintf('"LINE1:v_avg_%s#0000FF:Average:dashes"', crc32hex($source));	56	$rrdgraph[] = sprintf('LINE1:v_avg_%s#0000FF:Average:dashes', crc32hex($source));
57	$rrdgraph[] = sprintf('"GPRINT:v_avg_%s:%s days\\l"', crc32hex($source), $this->rrd_format);	57	$rrdgraph[] = sprintf('GPRINT:v_avg_%s:%s days\\l', crc32hex($source), $this->rrd_format);
58	}	58	}
59		59
60	return $rrdgraph;	60	return $rrdgraph;