From a213f092ab2abc7d0033044b074a327f28287507 Mon Sep 17 00:00:00 2001 From: Pim van den Berg Date: Mon, 25 May 2015 12:02:35 +0200 Subject: inc/functions: merge functions GET and validate_get And make sure all input from $_GET variables are parsed and validated. --- detail.php | 17 ++++++++------- graph.php | 20 +++++++++--------- host.php | 4 ++-- inc/functions.inc.php | 58 ++++++++++++++++++++++++++++++++++++++++++--------- inc/html.inc.php | 10 ++++----- 5 files changed, 74 insertions(+), 35 deletions(-) diff --git a/detail.php b/detail.php index b4ece36..8978350 100644 --- a/detail.php +++ b/detail.php @@ -15,12 +15,12 @@ if (empty($_GET['y'])) if ($CONFIG['graph_type'] == 'hybrid') $CONFIG['graph_type'] = 'canvas'; -$host = validate_get(GET('h'), 'h'); -$plugin = validate_get(GET('p'), 'p'); -$pinstance = validate_get(GET('pi'), 'pi'); -$category = validate_get(GET('c'), 'c'); -$type = validate_get(GET('t'), 't'); -$tinstance = validate_get(GET('ti'), 'ti'); +$host = GET('h'); +$plugin = GET('p'); +$pinstance = GET('pi'); +$category = GET('c'); +$type = GET('t'); +$tinstance = GET('ti'); $seconds = GET('s'); $selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin); @@ -40,7 +40,7 @@ plugins_list($host, $selected_plugins); echo '
'; plugin_header($host, $plugin); -$args = $_GET; +$args = GET(); print '
'; echo "\n"; diff --git a/graph.php b/graph.php index b546d02..67224b2 100644 --- a/graph.php +++ b/graph.php @@ -4,8 +4,8 @@ require_once 'conf/common.inc.php'; require_once 'inc/functions.inc.php'; require_once 'inc/collectd.inc.php'; -$plugin = validate_get(GET('p'), 'p'); -$type = validate_get(GET('t'), 't'); +$plugin = GET('p'); +$type = GET('t'); $width = GET('x') ? filter_var(GET('x'), FILTER_VALIDATE_INT, array( 'min_range' => 10, 'max_range' => $CONFIG['max-width'] @@ -18,12 +18,12 @@ $height = GET('y') ? filter_var(GET('y'), FILTER_VALIDATE_INT, array( if ($width === NULL || $height === NULL) { error_log(sprintf('Invalid image dimension, x="%s", y="%s"', urlencode(GET('x')), - urlencode(GET('y')))); + urlencode(GET('y')) + )); error_image(); } -if (validate_get(GET('h'), 'h') === NULL) { - error_log('Invalid host: "' . urlencode(GET('h')) . '"'); +if (GET('h') === NULL) { error_image(); } @@ -31,7 +31,7 @@ $typesdb = parse_typesdb_file($CONFIG['typesdb']); if ($plugin == 'aggregation') { $pi = explode("-", GET('pi')); - $plugin = $_GET['p'] = validate_get($pi[0], 'p'); + $plugin = $_GET['p'] = GET('p', $pi[0]); } # plugin json @@ -49,19 +49,19 @@ if (!isset($plugin_json[$type]['type'])) switch ($plugin_json[$type]['type']) { case 'stacked': require_once 'type/GenericStacked.class.php'; - $obj = new Type_GenericStacked($CONFIG, $_GET); + $obj = new Type_GenericStacked($CONFIG, GET()); break; case 'io': require_once 'type/GenericIO.class.php'; - $obj = new Type_GenericIO($CONFIG, $_GET); + $obj = new Type_GenericIO($CONFIG, GET()); break; case 'uptime': require_once 'type/Uptime.class.php'; - $obj = new Type_Uptime($CONFIG, $_GET); + $obj = new Type_Uptime($CONFIG, GET()); break; default: require_once 'type/Default.class.php'; - $obj = new Type_Default($CONFIG, $_GET); + $obj = new Type_Default($CONFIG, GET()); break; } diff --git a/host.php b/host.php index 2ba662d..f411b78 100644 --- a/host.php +++ b/host.php @@ -4,8 +4,8 @@ require_once 'conf/common.inc.php'; require_once 'inc/html.inc.php'; require_once 'inc/collectd.inc.php'; -$host = validate_get(GET('h'), 'h'); -$plugin = validate_get(GET('p'), 'p'); +$host = GET('h'); +$plugin = GET('p'); $selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin); diff --git a/inc/functions.inc.php b/inc/functions.inc.php index f667772..9e56868 100644 --- a/inc/functions.inc.php +++ b/inc/functions.inc.php @@ -2,28 +2,66 @@ # global functions -function GET($index) { - if (isset($_GET[$index])) - return $_GET[$index]; - return null; -} +function GET($index = NULL, $value = NULL) { + # parse all values from $_GET when no index is given + if ($index === NULL) { + $arr = array(); + foreach($_GET as $i => $v) { + $arr[$i] = GET($i); + } + return $arr; + } + + if (!isset($_GET[$index])) + return NULL; + + if ($value === NULL) + $value = $_GET[$index]; -function validate_get($value, $type) { - switch($type) { + $desc = array( + 'h' => 'host', + 'p' => 'plugin', + 'c' => 'category', + 't' => 'type', + 'pi' => 'plugin instance', + 'ti' => 'type instance', + 's' => 'seconds', + 'x' => 'x-axis', + 'y' => 'y-axis', + ); + + switch($index) { case 'h': # host - if (!preg_match('/^[\w-.]+$/u', $value)) + if (!preg_match('/^[\w-.]+$/u', $value)) { + error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); return NULL; + } break; case 'p': # plugin case 'c': # category case 't': # type - if (!preg_match('/^\w+$/u', $value)) + if (!preg_match('/^\w+$/u', $value)) { + error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); return NULL; + } break; case 'pi': # plugin instance case 'ti': # type instance - if (!preg_match('/^[\w-]+$/u', $value)) + if (!preg_match('/^[\w-]+$/u', $value)) { + error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); + return NULL; + } + break; + case 's': # seconds + case 'x': # x-axis + case 'y': # y-axis + if (!is_numeric($value)) { + error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value)); return NULL; + } + break; + default: + return NULL; break; } diff --git a/inc/html.inc.php b/inc/html.inc.php index 3998f54..98081ce 100644 --- a/inc/html.inc.php +++ b/inc/html.inc.php @@ -313,15 +313,15 @@ function host_summary($cat, $hosts) { function breadcrumbs() { $path = ''; - if (validate_get(GET('h'), 'h')) + if (GET('h')) $path .= ' - '.ucfirst(GET('h')); - if (validate_get(GET('p'), 'p')) + if (GET('p')) $path .= ' - '.ucfirst(GET('p')); - if (validate_get(GET('pi'), 'pi')) + if (GET('pi')) $path .= ' - '.GET('pi'); - if (validate_get(GET('t'), 't') && validate_get(GET('p'), 'p') && GET('t') != GET('p')) + if (GET('t') && GET('p') && GET('t') != GET('p')) $path .= ' - '.GET('t'); - if (validate_get(GET('ti'), 'ti')) + if (GET('ti')) $path .= ' - '.GET('ti'); return $path; -- cgit v1.1