From 4a737bc1abdbef7e0698b006704a26583a4c61df Mon Sep 17 00:00:00 2001
From: Peter Wu
Date: Sun, 20 Jul 2014 23:30:49 +0200
Subject: Use a more secure command line building method

Previously, a command is built by string concatenation. Here, the
distinction between a value and multiple params got lost. Solve this
by using an array for shell arguments. As the escaping is now removed
from the `rrd_gen_graph` function, the canvas style needs to manually
add those quotes to make the JS code still work. That only supports
double-quotes, so hopefully nobody creates a name with a double quote
as that would break the fragile JS command line parser.

Separate the rrdtool options from the rrdtool graph command to make the
`$graph_type == 'canvas'` option work (it would otherwise not understand
the `rrdtool graph - -a PNG` option).

Merge the SVG and PNG cases as they are the same except for the
Content-Type header.

Fix a missing html escape in a debug style.
---
 graph.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'graph.php')

diff --git a/graph.php b/graph.php
index 1727c1b..3e33b92 100644
--- a/graph.php
+++ b/graph.php
@@ -86,7 +86,16 @@ if (isset($plugin_json[$type]['vertical'])) {
 }
 
 if (isset($plugin_json[$type]['rrdtool_opts'])) {
-	$obj->rrdtool_opts[] = $plugin_json[$type]['rrdtool_opts'];
+	$rrdtool_extra_opts = $plugin_json[$type]['rrdtool_opts'];
+	# compatibility with plugins which specify arguments as string
+	if (is_string($rrdtool_extra_opts)) {
+		$rrdtool_extra_opts = explode(' ', $rrdtool_extra_opts);
+	}
+
+	$obj->rrdtool_opts = array_merge(
+		$obj->rrdtool_opts,
+		$rrdtool_extra_opts
+	);
 }
 
 if (isset($plugin_json[$type]['datasize']) and $plugin_json[$type]['datasize'])
-- 
cgit v1.1