From a213f092ab2abc7d0033044b074a327f28287507 Mon Sep 17 00:00:00 2001
From: Pim van den Berg
Date: Mon, 25 May 2015 12:02:35 +0200
Subject: inc/functions: merge functions GET and validate_get

And make sure all input from $_GET variables are parsed and validated.
---
 inc/functions.inc.php | 58 ++++++++++++++++++++++++++++++++++++++++++---------
 inc/html.inc.php      | 10 ++++-----
 2 files changed, 53 insertions(+), 15 deletions(-)

(limited to 'inc')

diff --git a/inc/functions.inc.php b/inc/functions.inc.php
index f667772..9e56868 100644
--- a/inc/functions.inc.php
+++ b/inc/functions.inc.php
@@ -2,28 +2,66 @@
 
 # global functions
 
-function GET($index) {
-	if (isset($_GET[$index]))
-		return $_GET[$index];
-	return null;
-}
+function GET($index = NULL, $value = NULL) {
+	# parse all values from $_GET when no index is given
+	if ($index === NULL) {
+		$arr = array();
+		foreach($_GET as $i => $v) {
+			$arr[$i] = GET($i);
+		}
+		return $arr;
+	}
+
+	if (!isset($_GET[$index]))
+		return NULL;
+
+	if ($value === NULL)
+		$value = $_GET[$index];
 
-function validate_get($value, $type) {
-	switch($type) {
+	$desc = array(
+		'h'  => 'host',
+		'p'  => 'plugin',
+		'c'  => 'category',
+		't'  => 'type',
+		'pi' => 'plugin instance',
+		'ti' => 'type instance',
+		's'  => 'seconds',
+		'x'  => 'x-axis',
+		'y'  => 'y-axis',
+	);
+
+	switch($index) {
 		case 'h': # host
-			if (!preg_match('/^[\w-.]+$/u', $value))
+			if (!preg_match('/^[\w-.]+$/u', $value)) {
+				error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
 				return NULL;
+			}
 		break;
 		case 'p': # plugin
 		case 'c': # category
 		case 't': # type
-			if (!preg_match('/^\w+$/u', $value))
+			if (!preg_match('/^\w+$/u', $value)) {
+				error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
 				return NULL;
+			}
 		break;
 		case 'pi': # plugin instance
 		case 'ti': # type instance
-			if (!preg_match('/^[\w-]+$/u', $value))
+			if (!preg_match('/^[\w-]+$/u', $value)) {
+				error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
+				return NULL;
+			}
+		break;
+		case 's': # seconds
+		case 'x': # x-axis
+		case 'y': # y-axis
+			if (!is_numeric($value)) {
+				error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
 				return NULL;
+			}
+		break;
+		default:
+			return NULL;
 		break;
 	}
 
diff --git a/inc/html.inc.php b/inc/html.inc.php
index 3998f54..98081ce 100644
--- a/inc/html.inc.php
+++ b/inc/html.inc.php
@@ -313,15 +313,15 @@ function host_summary($cat, $hosts) {
 
 function breadcrumbs() {
 	$path = '';
-	if (validate_get(GET('h'), 'h'))
+	if (GET('h'))
 		$path .= ' - '.ucfirst(GET('h'));
-	if (validate_get(GET('p'), 'p'))
+	if (GET('p'))
 		$path .= ' - '.ucfirst(GET('p'));
-	if (validate_get(GET('pi'), 'pi'))
+	if (GET('pi'))
 		$path .= ' - '.GET('pi');
-	if (validate_get(GET('t'), 't') && validate_get(GET('p'), 'p') && GET('t') != GET('p'))
+	if (GET('t') && GET('p') && GET('t') != GET('p'))
 		$path .= ' - '.GET('t');
-	if (validate_get(GET('ti'), 'ti'))
+	if (GET('ti'))
 		$path .= ' - '.GET('ti');
 
 	return $path;
-- 
cgit v1.1