| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
| |
detail.php
In detail.php $_GET['x'] and $_GET['y'] are overridden. filter_input
takes the original values. This results in NULL values.
|
| |
|
|
|
|
|
|
|
|
|
| |
Report 400 Bad Request on query errors instead of reporting 200 OK
(which can be cached).
Add some additional validation for the 'x' and 'y' parameters, to catch
underflow (test with `x=-10` for example). Also fix a typo in the error
message and include more details (the actual error).
|
|
|
|
|
|
|
|
|
| |
`[\w\W]` matches EVERYTHING. Validation failed. Also remove `\d` as that
`\w` is a superset of it.
Also check that the host parameter is actually non-empty, otherwise
`collectd_plugins` will happily return results as the directory
`$CONFIG['datadir'] . '/' . ''` trivially exists...
|
|
|
|
|
| |
If a datadir would contain characters with a special meaning in regex
(e.g. `/tmp/logs (new)`), then the function would blow up.
|
|
|
|
| |
... for instance, when using an overly large "s" parameter.
|
|
|
|
| |
Also init info_array in case the output is empty.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, a command is built by string concatenation. Here, the
distinction between a value and multiple params got lost. Solve this
by using an array for shell arguments. As the escaping is now removed
from the `rrd_gen_graph` function, the canvas style needs to manually
add those quotes to make the JS code still work. That only supports
double-quotes, so hopefully nobody creates a name with a double quote
as that would break the fragile JS command line parser.
Separate the rrdtool options from the rrdtool graph command to make the
`$graph_type == 'canvas'` option work (it would otherwise not understand
the `rrdtool graph - -a PNG` option).
Merge the SVG and PNG cases as they are the same except for the
Content-Type header.
Fix a missing html escape in a debug style.
|
|
|
|
|
|
|
| |
This is a security bug. The contents of the file are not
immediately disclosed, but it could disclose environment information
to the attacker (when display_errors=1 and an ancient PHP version
is used that does not check for '\0' in `file_exists()`).
|
|
|
|
|
|
|
|
|
| |
index.php expects that collectd_hosts() always return an array for
array_diff. Since an empty array evaluates to FALSE anyway, do not
change the type and just return the empty array.
In base.php, if no files are returned, the loop is never called and
three variables are not initialized. Do it now.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make build_url return an URL, not HTML. This separates presentation
from data.
plugin_header's return value is unused, remove the unnecessary return.
At places where `printf("<tag att='%s'>", $x);` is used, it is now
converted to `printf("<tag att=\"%s\">", htmlentities($x));` since
the single quote is not escaped by default by htmlentities.
In case the canvas style is used, JS should use `textContent` instead
of `innerHTML` to avoid reading `"` instead of `"`. Nobody (should)
use(s) IE6 anymore, so it is a safe change.
While at it, use the standard charset attribute of meta to specify
the character set (UTF-8).
|
|
|
|
| |
Closes #86
|
|
|
|
| |
Closes #73
|
|
|
|
|
|
| |
The value of HRULE could be a reference to for example a VDEF variable.
Closes #85
|
| |
|
|
|
|
|
|
|
| |
A malicious user can enter javascript code in "h" GET parameter and this
code gets executed because this parameter is copied in the HTML output
without any escaping. This patch escape the output before it is checked
it is valid.
|
| |
|
| |
|
|
|
|
|
| |
Forgotten in commit:
v0.3-77-gbf56a64 [remove ajax js code]
|
|\ |
|
| | |
|
|/ |
|
|
|
|
|
|
|
| |
array_merge resets the index, while in case of $this->colors and
$this->legend, we'd like to keep the index. An irq plugin sample:
array(1 => 1, 'ERR' => 'ERR') must not become
array(0 => 1, 'ERR' => 'ERR') after an array_merge.
|
|\ |
|
| | |
|
|\ \ |
|
| |/ |
|
|/
|
|
|
|
|
| |
Set $CONFIG['percentile'] to a number and a XXth percentile line + legend
will be added to all network traffic (if_octets) graphs.
Closes #81
|
|
|
|
| |
Closes #78
|
|
|
|
|
|
|
| |
When type wasn't set in the plugin json, a "PHP Notice: Undefined index"
would pop up. Just default to 'default' when type isn't set.
Closes #76 #77
|
| |
|
|
|
|
|
|
| |
Include graph.php instead of non-existing plugin/$plugin.php.
Closes #75
|
| |
|
| |
|
| |
|
|
|
|
| |
Closes: #72
|
|
|
|
| |
Include graph.php instead of non-existing plugin/$plugin.php.
|
|
|
|
| |
Closes: https://github.com/pommi/CGP/issues/71
|
|
|
|
| |
Closes: https://github.com/pommi/CGP/issues/69
|
|
|
|
|
|
|
|
|
|
|
|
| |
A couple of big changes here. A lot of logic moved to graph.php.
The PHP plugin files have been rewritten to JSON. In these JSON files
*everything* is optional. Also *NOT* having a JSON plugin file won't
block you from having a graph. The JSON will just make the graphs
prettier (by having a title, y-axis title, legend, colors, etc..).
The Collectd types.db file is parsed and used to determine RRD content.
When things are not defined in the JSON it will fallback to a default.
|
| |
|
|
|
|
|
|
| |
Since the previous commit [type/base: show tinstances not defined in
$this->order in graph] all type instances that are not defined in the
plugin, are colored black. This way you always have nice colors.
|
|
|
|
|
|
| |
Previously if $this->order was defined in a graph, only type instances
that were defined in $this->order showed up in the graph. Now it merges
$this->order and the type instances.
|
|
|
|
| |
This had nothing to do with an RRD data source.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
They generate html.
|
|
|
|
|
|
|
|
|
| |
This means we have to check the return value of these functions for
example before doing a foreach. We can't just do a foreach and assume the
return value of a function is an array, while it can be false and results
in a PHP warning.
Closes: https://github.com/pommi/CGP/pull/68
|