Security fix: unauthorized access (#10091)

* Security fix: unauthorized access Affects nginx users: Moved php files outside of public html directory (Apache was protected by .htaccess) Affects all users: Some files did not check for authentication and could disclose some info. Better checks before including files from user input * git mv html/includes/ includes/html git mv html/pages/ includes/html/
2024-10-07 16:52:45 +00:00 · 2019-04-11 23:26:42 -05:00
parent b81af32ed2
commit 36431dd296
1301 changed files with 1443 additions and 1439 deletions
--- a/includes/html/graphs/device/nfsen_common.inc.php
+++ b/includes/html/graphs/device/nfsen_common.inc.php
@@ -0,0 +1,59 @@
+<?php
+
+$simple_rrd = true;
+
+if (!is_array($config['nfsen_rrds'])) {
+    $config['nfsen_rrds'] = array($config['nfsen_rrds']);
+}
+
+foreach ($config['nfsen_rrds'] as $nfsenrrds) {
+    if ($nfsenrrds[(strlen($nfsenrrds) - 1)] != '/') {
+        $nfsenrrds .= '/';
+    }
+
+    // convert dots in filename to underscores
+    $nfsensuffix = '';
+    if ($config['nfsen_suffix']) {
+        $nfsensuffix = $config['nfsen_suffix'];
+    }
+
+    if (isset($config['nfsen_split_char']) && !empty($config['nfsen_split_char'])) {
+        $basefilename_underscored = preg_replace('/\./', $config['nfsen_split_char'], $device['hostname']);
+    } else {
+        $basefilename_underscored = $device['hostname'];
+    }
+    $nfsen_filename           = preg_replace('/'.$nfsensuffix.'/', '', $basefilename_underscored);
+
+    if (is_file($nfsenrrds.$nfsen_filename.'.rrd')) {
+        $rrd_filename = $nfsenrrds.$nfsen_filename.'.rrd';
+
+        $flowtypes = array('tcp', 'udp', 'icmp', 'other');
+
+        $rrd_list   = array();
+        $nfsen_iter = 1;
+        foreach ($flowtypes as $flowtype) {
+            $rrd_list[$nfsen_iter]['filename']  = $rrd_filename;
+            $rrd_list[$nfsen_iter]['descr'] = $flowtype;
+            $rrd_list[$nfsen_iter]['ds']    = $dsprefix.$flowtype;
+
+            // set a multiplier which in turn will create a CDEF if this var is set
+            if ($dsprefix == 'traffic_') {
+                $multiplier = '8';
+            }
+
+            $colours   = 'blues';
+            $nototal   = 0;
+            $units     = '';
+            $unit_text = $dsdescr;
+            $scale_min = '0';
+
+            if ($_GET['debug']) {
+                print_r($rrd_list);
+            }
+
+            $nfsen_iter++;
+        }
+    }
+}
+
+require 'includes/html/graphs/generic_multi_simplex_seperated.inc.php';