Security fix: unauthorized access (#10091)

* Security fix: unauthorized access
Affects nginx users:
Moved php files outside of public html directory (Apache was protected by .htaccess)

Affects all users:
Some files did not check for authentication and could disclose some info.
Better checks before including files from user input

* git mv html/includes/ includes/html
git mv html/pages/ includes/html/

includes/html/graphs/service/auth.inc.php

@@ -0,0 +1,16 @@
+<?php
+
+if (is_numeric($vars['id'])) {
+    $service = dbFetchRow('SELECT * FROM services WHERE service_id = ?', array($vars['id']));
+
+    if (is_numeric($service['device_id']) && ($auth || device_permitted($service['device_id']))) {
+        $device = device_by_id_cache($service['device_id']);
+
+        // This doesn't quite work for all yet.
+        $rrd_filename = rrd_name($device['hostname'], array('service', $service['service_type'], $service['service_id']));
+
+        $title  = generate_device_link($device);
+        $title .= ' :: Service :: '.htmlentities($service['service_type']);
+        $auth   = true;
+    }
+}

includes/html/graphs/service/availability.inc.php

@@ -0,0 +1,21 @@
+<?php
+
+$scale_min = '0';
+$scale_max = '1';
+
+require 'includes/html/graphs/common.inc.php';
+
+$service_text = substr(str_pad($service['service_type'], 28), 0, 28);
+
+$rrd_options .= " COMMENT:'                                Cur    Avail\\n'";
+$rrd_options .= " DEF:status=$rrd_filename:status:AVERAGE";
+$rrd_options .= ' CDEF:percent=status,100,*';
+$rrd_options .= ' CDEF:down=status,1,LT,status,UNKN,IF';
+$rrd_options .= ' CDEF:percentdown=down,100,*';
+$rrd_options .= ' AREA:percent#CCFFCC';
+$rrd_options .= ' AREA:percentdown#FFCCCC';
+$rrd_options .= " LINE1.5:percent#009900:'".$service_text."'";
+// Ugly hack :(
+$rrd_options .= ' LINE1.5:percentdown#cc0000';
+$rrd_options .= ' GPRINT:status:LAST:%3.0lf';
+$rrd_options .= ' GPRINT:percent:AVERAGE:%3.5lf%%\l';