From a213f092ab2abc7d0033044b074a327f28287507 Mon Sep 17 00:00:00 2001
From: Pim van den Berg
Date: Mon, 25 May 2015 12:02:35 +0200
Subject: inc/functions: merge functions GET and validate_get
And make sure all input from $_GET variables are parsed and validated.
---
detail.php | 17 ++++++++-------
graph.php | 20 +++++++++---------
host.php | 4 ++--
inc/functions.inc.php | 58 ++++++++++++++++++++++++++++++++++++++++++---------
inc/html.inc.php | 10 ++++-----
5 files changed, 74 insertions(+), 35 deletions(-)
diff --git a/detail.php b/detail.php
index b4ece36..8978350 100644
--- a/detail.php
+++ b/detail.php
@@ -15,12 +15,12 @@ if (empty($_GET['y']))
if ($CONFIG['graph_type'] == 'hybrid')
$CONFIG['graph_type'] = 'canvas';
-$host = validate_get(GET('h'), 'h');
-$plugin = validate_get(GET('p'), 'p');
-$pinstance = validate_get(GET('pi'), 'pi');
-$category = validate_get(GET('c'), 'c');
-$type = validate_get(GET('t'), 't');
-$tinstance = validate_get(GET('ti'), 'ti');
+$host = GET('h');
+$plugin = GET('p');
+$pinstance = GET('pi');
+$category = GET('c');
+$type = GET('t');
+$tinstance = GET('ti');
$seconds = GET('s');
$selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin);
@@ -40,7 +40,7 @@ plugins_list($host, $selected_plugins);
echo '
';
plugin_header($host, $plugin);
-$args = $_GET;
+$args = GET();
print '
' . "\n";
foreach($CONFIG['term'] as $key => $s) {
$args['s'] = $s;
@@ -59,7 +59,8 @@ if ($CONFIG['graph_type'] == 'canvas') {
} else {
printf("\n",
htmlentities($CONFIG['weburl']),
- htmlentities(build_url('graph.php', $_GET)));
+ htmlentities(build_url('graph.php', GET()))
+ );
}
echo '
';
echo "\n";
diff --git a/graph.php b/graph.php
index b546d02..67224b2 100644
--- a/graph.php
+++ b/graph.php
@@ -4,8 +4,8 @@ require_once 'conf/common.inc.php';
require_once 'inc/functions.inc.php';
require_once 'inc/collectd.inc.php';
-$plugin = validate_get(GET('p'), 'p');
-$type = validate_get(GET('t'), 't');
+$plugin = GET('p');
+$type = GET('t');
$width = GET('x') ? filter_var(GET('x'), FILTER_VALIDATE_INT, array(
'min_range' => 10,
'max_range' => $CONFIG['max-width']
@@ -18,12 +18,12 @@ $height = GET('y') ? filter_var(GET('y'), FILTER_VALIDATE_INT, array(
if ($width === NULL || $height === NULL) {
error_log(sprintf('Invalid image dimension, x="%s", y="%s"',
urlencode(GET('x')),
- urlencode(GET('y'))));
+ urlencode(GET('y'))
+ ));
error_image();
}
-if (validate_get(GET('h'), 'h') === NULL) {
- error_log('Invalid host: "' . urlencode(GET('h')) . '"');
+if (GET('h') === NULL) {
error_image();
}
@@ -31,7 +31,7 @@ $typesdb = parse_typesdb_file($CONFIG['typesdb']);
if ($plugin == 'aggregation') {
$pi = explode("-", GET('pi'));
- $plugin = $_GET['p'] = validate_get($pi[0], 'p');
+ $plugin = $_GET['p'] = GET('p', $pi[0]);
}
# plugin json
@@ -49,19 +49,19 @@ if (!isset($plugin_json[$type]['type']))
switch ($plugin_json[$type]['type']) {
case 'stacked':
require_once 'type/GenericStacked.class.php';
- $obj = new Type_GenericStacked($CONFIG, $_GET);
+ $obj = new Type_GenericStacked($CONFIG, GET());
break;
case 'io':
require_once 'type/GenericIO.class.php';
- $obj = new Type_GenericIO($CONFIG, $_GET);
+ $obj = new Type_GenericIO($CONFIG, GET());
break;
case 'uptime':
require_once 'type/Uptime.class.php';
- $obj = new Type_Uptime($CONFIG, $_GET);
+ $obj = new Type_Uptime($CONFIG, GET());
break;
default:
require_once 'type/Default.class.php';
- $obj = new Type_Default($CONFIG, $_GET);
+ $obj = new Type_Default($CONFIG, GET());
break;
}
diff --git a/host.php b/host.php
index 2ba662d..f411b78 100644
--- a/host.php
+++ b/host.php
@@ -4,8 +4,8 @@ require_once 'conf/common.inc.php';
require_once 'inc/html.inc.php';
require_once 'inc/collectd.inc.php';
-$host = validate_get(GET('h'), 'h');
-$plugin = validate_get(GET('p'), 'p');
+$host = GET('h');
+$plugin = GET('p');
$selected_plugins = !$plugin ? $CONFIG['overview'] : array($plugin);
diff --git a/inc/functions.inc.php b/inc/functions.inc.php
index f667772..9e56868 100644
--- a/inc/functions.inc.php
+++ b/inc/functions.inc.php
@@ -2,28 +2,66 @@
# global functions
-function GET($index) {
- if (isset($_GET[$index]))
- return $_GET[$index];
- return null;
-}
+function GET($index = NULL, $value = NULL) {
+ # parse all values from $_GET when no index is given
+ if ($index === NULL) {
+ $arr = array();
+ foreach($_GET as $i => $v) {
+ $arr[$i] = GET($i);
+ }
+ return $arr;
+ }
+
+ if (!isset($_GET[$index]))
+ return NULL;
+
+ if ($value === NULL)
+ $value = $_GET[$index];
-function validate_get($value, $type) {
- switch($type) {
+ $desc = array(
+ 'h' => 'host',
+ 'p' => 'plugin',
+ 'c' => 'category',
+ 't' => 'type',
+ 'pi' => 'plugin instance',
+ 'ti' => 'type instance',
+ 's' => 'seconds',
+ 'x' => 'x-axis',
+ 'y' => 'y-axis',
+ );
+
+ switch($index) {
case 'h': # host
- if (!preg_match('/^[\w-.]+$/u', $value))
+ if (!preg_match('/^[\w-.]+$/u', $value)) {
+ error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
return NULL;
+ }
break;
case 'p': # plugin
case 'c': # category
case 't': # type
- if (!preg_match('/^\w+$/u', $value))
+ if (!preg_match('/^\w+$/u', $value)) {
+ error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
return NULL;
+ }
break;
case 'pi': # plugin instance
case 'ti': # type instance
- if (!preg_match('/^[\w-]+$/u', $value))
+ if (!preg_match('/^[\w-]+$/u', $value)) {
+ error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
+ return NULL;
+ }
+ break;
+ case 's': # seconds
+ case 'x': # x-axis
+ case 'y': # y-axis
+ if (!is_numeric($value)) {
+ error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
return NULL;
+ }
+ break;
+ default:
+ return NULL;
break;
}
diff --git a/inc/html.inc.php b/inc/html.inc.php
index 3998f54..98081ce 100644
--- a/inc/html.inc.php
+++ b/inc/html.inc.php
@@ -313,15 +313,15 @@ function host_summary($cat, $hosts) {
function breadcrumbs() {
$path = '';
- if (validate_get(GET('h'), 'h'))
+ if (GET('h'))
$path .= ' - '.ucfirst(GET('h'));
- if (validate_get(GET('p'), 'p'))
+ if (GET('p'))
$path .= ' - '.ucfirst(GET('p'));
- if (validate_get(GET('pi'), 'pi'))
+ if (GET('pi'))
$path .= ' - '.GET('pi');
- if (validate_get(GET('t'), 't') && validate_get(GET('p'), 'p') && GET('t') != GET('p'))
+ if (GET('t') && GET('p') && GET('t') != GET('p'))
$path .= ' - '.GET('t');
- if (validate_get(GET('ti'), 'ti'))
+ if (GET('ti'))
$path .= ' - '.GET('ti');
return $path;
--
cgit v1.1