Security fix: unauthorized access (#10091)

* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/

includes/html/graphs/diskio/auth.inc.php

@@ -0,0 +1,15 @@
+<?php
+
+if (is_numeric($vars['id'])) {
+    $disk = dbFetchRow('SELECT * FROM `ucd_diskio` AS U, `devices` AS D WHERE U.diskio_id = ? AND U.device_id = D.device_id', array($vars['id']));
+
+    if (is_numeric($disk['device_id']) && ($auth || device_permitted($disk['device_id']))) {
+        $device = device_by_id_cache($disk['device_id']);
+
+        $rrd_filename = rrd_name($disk['hostname'], array('ucd_diskio', $disk['diskio_descr']));
+
+        $title  = generate_device_link($device);
+        $title .= ' :: Disk :: '.htmlentities($disk['diskio_descr']);
+        $auth   = true;
+    }
+}

includes/html/graphs/diskio/bits.inc.php

@@ -0,0 +1,8 @@
+<?php
+
+$ds_in  = 'read';
+$ds_out = 'written';
+
+$format = 'bytes';
+
+require 'includes/html/graphs/generic_data.inc.php';

includes/html/graphs/diskio/ops.inc.php

@@ -0,0 +1,18 @@
+<?php
+
+$ds_in  = 'reads';
+$ds_out = 'writes';
+
+$colour_area_in  = 'FF3300';
+$colour_line_in  = 'FF0000';
+$colour_area_out = 'FF6633';
+$colour_line_out = 'CC3300';
+
+$colour_area_in_max  = 'FF6633';
+$colour_area_out_max = 'FF9966';
+
+$graph_max = 1;
+
+$unit_text = 'Ops/sec';
+
+require 'includes/html/graphs/generic_duplex.inc.php';