1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
<?php
# global functions
function GET($index = NULL, $value = NULL) {
# parse all values from $_GET when no index is given
if ($index === NULL) {
$arr = array();
foreach($_GET as $i => $v) {
$arr[$i] = GET($i);
}
return $arr;
}
if (!isset($_GET[$index]) or strlen($_GET[$index]) == 0)
return NULL;
if ($value === NULL)
$value = $_GET[$index];
$desc = array(
'h' => 'host',
'p' => 'plugin',
'c' => 'category',
't' => 'type',
'pi' => 'plugin instance',
'ti' => 'type instance',
's' => 'seconds',
'x' => 'x-axis',
'y' => 'y-axis',
);
switch($index) {
case 'h': # host
case 'pi': # plugin instance
case 'ti': # type instance
if (!preg_match('/^[\w-.: ]+$/u', $value)) {
error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
return NULL;
}
break;
case 'p': # plugin
case 'c': # category
case 't': # type
if (!preg_match('/^\w+$/u', $value)) {
error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
return NULL;
}
break;
case 's': # seconds
case 'x': # x-axis
case 'y': # y-axis
if (!is_numeric($value)) {
error_log(sprintf('Invalid %s in $_GET["%s"]: "%s"', $desc[$index], $index, $value));
return NULL;
}
break;
default:
return NULL;
break;
}
return $value;
}
function validateRRDPath($base, $path) {
$base = preg_replace('/\/$/', '', $base);
# resolve possible symlink
$base = realpath($base);
$realpath = realpath(sprintf('%s/%s', $base, $path));
if (strpos($realpath, $base) === false)
return false;
if (strpos($realpath, $base) !== 0)
return false;
if (!preg_match('/\.rrd$/', $realpath))
return false;
return $realpath;
}
function crc32hex($str) {
return sprintf("%x",crc32($str));
}
function error_image() {
header("Content-Type: image/png", true, 400);
readfile('layout/error.png');
exit;
}
|